{
  "type": "Domain",
  "indicator": "tidelift.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/tidelift.com",
    "alexa": "http://www.alexa.com/siteinfo/tidelift.com",
    "indicator": "tidelift.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 2687191076,
      "indicator": "tidelift.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 8,
      "pulses": [
        {
          "id": "69d967590f40c612c90ce84f",
          "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
          "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
          "modified": "2026-05-31T01:02:14",
          "created": "2026-04-10T21:10:49.749000",
          "tags": [
            "malicious",
            "Microsoft",
            "intent: reckless",
            "wiper",
            "Transip",
            "bankers document gone rogue",
            "Tehran",
            "pdfkit.net",
            "United",
            "broken Docusign seal",
            "esign violation",
            "us lawyers",
            "Iran",
            "IP Abuse US",
            "Spreader",
            "corruption that spread",
            "52.123.250.180",
            "Mass Data Loss and exfiltration",
            "Docusign exploited by insecure workflows",
            "Adobe exploited by insecure workflows",
            "threat map",
            "Infra / healthcare / more at risk from this negligence",
            "remediation: long. expire the certs. block 53..",
            "accountability, NOW.",
            "Burned",
            "Kitplay",
            "iOS",
            "Watering hole",
            "Webkit",
            "Religious Regime",
            "MS Office",
            "Compliance Hold Purgatory",
            "WIN EXE.32",
            "Firmware neutral",
            "Trusted Insider",
            "DKIM, SPF, DMARC Failures",
            "APKmirror",
            "ILOVEYOUBABY",
            "No Problems",
            "Christmas Tree EXEC Code Red worm Computer virus Nimda",
            "Wanna Cry",
            "APK",
            "DC RAT",
            "Emotnet",
            "Redline Swiper",
            "Open Door",
            "Bankers Document",
            "Y2K",
            "wsscript.exe, VBE",
            "Compliance Lock Trap",
            "Globalsign 2020 (potentially exploited)",
            "Heuristic Smear",
            "Gatsby Library Loader DLL",
            "w31999",
            "UofA"
          ],
          "references": [
            "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov]  for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
            "People who exploit this put the US at risk. Bottom line.",
            "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
            "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
            "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
            "",
            "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
            "This document might expose someone, more than another.",
            "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
            "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
            "Micro - Dates to look for specific: April/May/June 2025",
            "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
            "Amazon- Check new cert subscribers on or around Sept 15 2025",
            "Entrust to Sectigo- Review vendors",
            "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
            "CA DMV- 2020 exploits, if even exist in your records, may be related.",
            "Digi/Global Sign - audit 2020 digital intersect",
            "Proton.me/Zenbox: Audit July 2025",
            "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
            "APKMirror https://www.apkmirror.com",
            "Google Docs 1.25.202.02 APK Download by Google LLC",
            "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
            "Y2K",
            "US, Philippines, Ukraine, Iran, China. Alberta.",
            "France",
            "Germany, Austria, and Switzerland GmbH",
            "Gatsby Library Loader, DLL",
            "Spellbinding! Indeed. SpellEditor.exe"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Government",
            "Telecommunications"
          ],
          "TLP": "green",
          "cloned_from": "69a82c54067ca1d502b1eb6c",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 3921,
            "hostname": 1668,
            "CVE": 14,
            "URL": 1984,
            "domain": 1432,
            "FileHash-MD5": 882,
            "FileHash-SHA1": 946,
            "CIDR": 10,
            "email": 29,
            "JA3": 2,
            "IPv4": 11
          },
          "indicator_count": 10899,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "9 hours ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a103de1e71756a0b58ce416",
          "name": "secret camera * VirusTotal Windows Sandbox",
          "description": "[100s of thousands of people have signed a petition calling for an end to the use of the word \"sex\" in the wake of a fatal accident in London's West Bromwich, which left 11 people dead]<what is this?",
          "modified": "2026-05-22T12:27:31.937000",
          "created": "2026-05-22T11:28:33.791000",
          "tags": [
            "windows sandbox",
            "clear filters",
            "file type",
            "ascii text",
            "pe file",
            "https",
            "ms windows",
            "svg scalable",
            "vector graphics",
            "elite",
            "tls version",
            "unicode text",
            "persistence",
            "malicious",
            "next",
            "default",
            "parent pid",
            "full path",
            "command line",
            "inprocserver32",
            "data",
            "datacrashpad",
            "k localservice",
            "s ngcsvc",
            "s ngcctnrsvc",
            "windir",
            "registry",
            "basic",
            "file name",
            "pe32 executable",
            "intel",
            "file size",
            "sha1",
            "files mitre",
            "windows user",
            "account control",
            "windows",
            "forms",
            "source source",
            "command",
            "enterprise",
            "close",
            "strong",
            "library",
            "address virtual",
            "none rticon",
            "cname",
            "mwdb",
            "bazaar",
            "sha3384",
            "accept",
            "tofsee",
            "shutdown",
            "stream",
            "string id",
            "x5173x95ed",
            "control",
            "wixbundlename",
            "x53d6x6d88",
            "copyright",
            "width",
            "height",
            "helptext",
            "repair",
            "calls process",
            "Camera",
            "Spyware",
            "illegal",
            "test recall",
            "test recall task 5/12/25"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/88819f8dbc43e0609fbc6f6a1a9fb2740512b8e1e0f2d9e92926c31b8a11d446_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447466&Signature=nXchQzhNktG26CNrpPC2%2FRBVk5CXbCQ6xUNenWVvnvY2n5P71FF7HHw01QiPu3iGSvBSzqmHiB9HByI%2FJgWTdhqYvc9LZy0rI61W0%2FTNVhSNdb1omKNcCW1ikL2n7eR9BFV1ygPOAPnexLqjbK35hzq40mysRVPCVBcmrjs7NkxUh9nHkwmtOOR3Lz5NsYgdUX2AMqykR9pVoyTLy7tkl5Ap9keTZlEoE2RrK6MTO9HBhYPJD%2",
            "https://vtbehaviour.commondatastorage.googleapis.com/99bde29b5d7f5522c0452c95899f63a0cc99a465b516f7eb2980d519fe5a478c_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447513&Signature=vT05qRgkqzlTQQ09TU4VC1ZL9bRV9J6Tgx%2BLYi1Yop0ggmMd9LT5iNFG2AQr%2FZH%2F0pMgqHAgZy%2BRwWUtDV1qO5eBxL%2B8mGzJDZilm%2BhP3%2B%2BKQu%2F76vg8GcDLdxu%2FeLmkj8Dhp9pN4i2cytkeH5zr%2BRHZBvK4uQ47n1zLtlGUSsJ7YXGw%2BWQFVRvu%2B%2B11Jh1PF6x4jF%2B3IbYQ5CZcGLoGbo0PGkN",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448055&Signature=Oo2OUSuLUWDZOZGoPlCv1tD%2FynOTQPpGUV9I%2FgvLt4ZafLu6Vnt%2FoOXLJA9nFZPH5AiUv%2FWd4huRf8%2BPiUQcGMkSOOYn3mJHyE2t6wNKj1BDNjEJ0ozgBjkzBrZ62UZn4p34YCFKx1mj%2BrH75IoSHpRUfJYvgHnJhElGEMhrJc7ieH0I%2FNpcLuxSy9sfujNonmjwsQj9ZWnkGvLPpmiljGhJIomaUZ6GITQcz6QqbInrBN3nHX6mGGk4",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448087&Signature=zly9PmlRQWb4KS0rNwSC6GG0MNzjm7KFDjr%2B%2Few6J4vqKF%2FJhJnnrYPcE0jJDw2QNhVbkyk0ZP2AmxrgmnTVhLcFijlR18xS82aHK99JxYTYDkmlFMr4U3ENyb3KVWsT%2BCuRbwN66pmHE4sdf33jQRi4ZUPxLJwtnLmhmpds%2BM38I%2Fv7pfRhbp7OYurf%2BJ0%2FQT2bwsg7sZEjDUQJ7HSqjOP8unxpFfBHNwC4wr9qawvlz8",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448113&Signature=HGVwYzpWE71%2BbcncRqOn%2BGkFdoAcM0zUAWI1eJD1jsHDcrJKlqO9M0XORZQA5YJxAW65VvTW9omuEH7SypRLJu1W0P3VYs46P7H4Dz1TsNoaNKYhhqpYfKql%2BYbpF7jIqwNfYdG5Uya0aqcIeI7Wx22%2BpByMhnrECSPxpU6wII3hOhgINOcc1mqsMEFfCB4fd%2F3zvfmJ7Rc5HiEea5Qx%2Fm7tB7DjImzqZFtSAQh6qFcSNN",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448247&Signature=KaOoC8k1CwemdPniC2jnlheSiP5jHQwh83WcgjNWDujHQ8F6N7qW1Q3lVUf%2FBjEofHhKuYofMNOHzuLgXjiq%2F4ie2jeMJ2kiAYHGeUvc8RFAO28YMWxIJPmcTSCLcxaOQNbzOOtMF2DO6%2Fw9IodVAr1Yv3SgvamznVqYCu5Din1Q7C0hAc68dxqEbYxXnk9hekwNuVZf81kyLJEmJbSWOxr0ONyt6e7qhV07xe4C1TIJXe%2BH6Zkc8Jp",
            "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448581&Signature=u1m6X7g3%2B46ZDMb0IvTTp%2FbBxgM9iZvfcHnyyGsaqQA%2BxHuw9ZcqfIkIme3jx7%2BblFBuowZqDr1PbGP28vbxcZhaskjIn3w04QkzN%2F6EWbNlPvabmBH3M0F%2FhfTEM8ayozqby2SPWv6azOEd%2FS3MXYnUsOzgOpSh1uIk0iduf4w1ePo4yJAdHv7fc0AUGPzRmssC0jpjqXzao%2F0qbg1JRMMBq0edJZqYiws6vIf%2B2d9O",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449270&Signature=y5dmd%2Br9iDNaXftiyxWZe5cWdAiIpA4H9u6vCT%2FdvFUKL7WV7S2HOKzRyETdhPd%2BF%2FoG5DQwjiN8Yvi10oC6iRsDQY6lbl34%2BOoaljXY4sg13Yyq9v9MMC5DrVBiOta4mYQFQL240y55PVUqOeWoTlaCvh9aA8Mn2iw5ITNNXJVpckpc9C37%2FxyFz8zFSmDEzj3pB2pggacPF34xQm4NB4hDB9ssqGeTsAbv41aOUu4XRV2pyMo9E0xtK2",
            "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449323&Signature=QsivAArVUulKH5N9EOkYOICShe0hR8W0UFhFsPq6t2rlRIdIvciMDBQZ4ooTbp7TpacdxQgFF%2Bi5tH9LdqhGhhF5JPkquaQ5Twm8UjTLbiV4v0PAECarE7LnIShAtYF1LNwCZ6BDcQLYYCofAYGAFJnVZjnwztoy32OFI6WldLKbOfNYUmLe2Api5KarnJezGIPSvZLOJLHh9e6ApJk0PwnTupqxWn0JORAZidwNrGjvoBMeb6gtWmgFnwTO",
            "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449382&Signature=GsaicymiUqs49NLqLPAVvf%2Bv2RwudQDEfcp3TeWyX92n2qwqpH9HWCV422PIRfG9GUe5OGbnGO0mIkaCuWs9fgtMTHtoT6o2uIiPZQNhcAL2tWEv22GoGjIhK0MvnOKG1EKRAA9bdlP5tGpvgOM5usOM55tsgbPUQWGsB19CvRAPS6OZ1eIqrdpLiOeAKK2uIGkaOnOkD4njy1e15fQ0BGPY1rMjdenHRZDu9EXv2zfwqLiUNbp%2B"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 4759,
            "hostname": 1513,
            "IPv4": 576,
            "FileHash-MD5": 1418,
            "FileHash-SHA1": 1413,
            "domain": 1263,
            "URL": 1550,
            "email": 27,
            "IPv6": 8,
            "CVE": 5
          },
          "indicator_count": 12532,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "8 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a070f0f379e50ef7c511974",
          "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25",
          "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom",
          "modified": "2026-05-17T05:42:57.697000",
          "created": "2026-05-15T12:18:22.918000",
          "tags": [
            "recovery",
            "name",
            "clothing",
            "dating",
            "concerns",
            "submission",
            "analysis",
            "utc html",
            "info title",
            "information",
            "makeup",
            "home",
            "rams twitter",
            "script tags"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 60,
            "FileHash-MD5": 53,
            "FileHash-SHA1": 94,
            "FileHash-SHA256": 360,
            "SSLCertFingerprint": 8,
            "URL": 246,
            "domain": 62,
            "email": 8,
            "hostname": 133,
            "Mutex": 1
          },
          "indicator_count": 1025,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "14 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a070f0dd165196deff2d1bf",
          "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25",
          "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom",
          "modified": "2026-05-17T05:42:56.951000",
          "created": "2026-05-15T12:18:21.528000",
          "tags": [
            "recovery",
            "name",
            "clothing",
            "dating",
            "concerns",
            "submission",
            "analysis",
            "utc html",
            "info title",
            "information",
            "makeup",
            "home",
            "rams twitter",
            "script tags"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 61,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 92,
            "FileHash-SHA256": 346,
            "SSLCertFingerprint": 8,
            "URL": 245,
            "domain": 62,
            "email": 8,
            "hostname": 132
          },
          "indicator_count": 1005,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "14 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bab8ec17587e77fb87296c",
          "name": "CAPE Sandbox - Immediate Research",
          "description": "Hundreds of thousands of people have signed an online petition calling for the removal of the UK's Prime Minister, David Cameron, from the EU's EU referendum, which has now been held in Germany.",
          "modified": "2026-04-17T14:12:53.840000",
          "created": "2026-03-18T14:38:36.655000",
          "tags": [
            "strong",
            "library",
            "address virtual",
            "host",
            "name",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "ironchain",
            "accept",
            "bitcoin",
            "service",
            "date",
            "execution",
            "openssl",
            "python",
            "title",
            "shutdown",
            "impact",
            "whirlpool",
            "project",
            "enterprise",
            "ransomware",
            "body",
            "crypt32"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/0a563b64423a632dad9cb2b52129d79e1cd336902c699376b749b509ac34cc8b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773844718&Signature=IO42eMrLK%2FbIjlFqk5%2FGLr3hVuiKBEV%2F7z6YdTxH%2BKfch%2F5FpMOjzzpMyHE%2BjQrYjooxOOfFiuzomTf%2BKgpeO823xO3kVrolF7WjT%2BtRXU3WcJK8GwxuHM%2BeridLzjBJaEs36CMlTwvdgKwTrtyvYs2ZU%2BUZB9sZt%2Balg%2Bc%2Fhk3XSpyitjPffFVwVijVsh5XRZlDrgY%2BK9BDiOE0rXsuMt3mUVwJVmo5fL"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1490",
              "name": "Inhibit System Recovery",
              "display_name": "T1490 - Inhibit System Recovery"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 219,
            "FileHash-SHA1": 163,
            "FileHash-SHA256": 242,
            "domain": 41,
            "hostname": 95,
            "URL": 96,
            "email": 2
          },
          "indicator_count": 858,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "43 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf44d55f8a0cac0847df73",
          "name": "VirusTotal report\n                    for emdprestamos-release.jar",
          "description": "",
          "modified": "2026-03-22T01:24:37.323000",
          "created": "2026-03-22T01:24:37.323000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 87,
            "FileHash-SHA1": 97,
            "FileHash-SHA256": 989,
            "domain": 25,
            "URL": 17,
            "hostname": 9
          },
          "indicator_count": 1224,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "70 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf44d3279c3850bad26369",
          "name": "VirusTotal report\n                    for emdprestamos-release.jar",
          "description": "",
          "modified": "2026-03-22T01:24:35.555000",
          "created": "2026-03-22T01:24:35.555000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 87,
            "FileHash-SHA1": 97,
            "FileHash-SHA256": 989,
            "domain": 25,
            "URL": 17,
            "hostname": 9
          },
          "indicator_count": 1224,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "70 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6916dc43beba2f3839fd7c36",
          "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
          "description": "FireEye appears to have been a Cybersecurity  that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ;  reported false information / documentation. FEDNS1.FIREEYE.COM  URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
          "modified": "2025-12-14T05:04:31.480000",
          "created": "2025-11-14T07:37:39.794000",
          "tags": [
            "gmt content",
            "related tags",
            "found title",
            "cache control",
            "x request",
            "runtime",
            "vary",
            "reverse dns",
            "ashburn",
            "resource",
            "verdict",
            "address",
            "read c",
            "unicode",
            "high",
            "memcommit",
            "delete",
            "dock",
            "write",
            "execution",
            "next associated",
            "server response",
            "port",
            "destination",
            "crlf line",
            "malware",
            "png image",
            "rgba",
            "united states",
            "medium",
            "encrypt",
            "america",
            "msie",
            "unknown",
            "present jan",
            "name servers",
            "present oct",
            "present may",
            "present mar",
            "present dec",
            "present nov",
            "united",
            "present apr",
            "present jun",
            "urls show",
            "url hostname",
            "ip address",
            "google safe",
            "results jun",
            "canada unknown",
            "passive dns",
            "canada",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "twitter",
            "chrome",
            "urls",
            "files",
            "asn as13335",
            "dns resolutions",
            "trojan",
            "trojanspy",
            "win32",
            "title",
            "servers",
            "unknown ns",
            "domain",
            "present aug",
            "present sep",
            "files domain",
            "files related",
            "none google",
            "safe browsing",
            "unknown aaaa",
            "moved",
            "cloudfront x",
            "meta",
            "ip whois",
            "registrar",
            "hostname",
            "files ip",
            "ipv4 add",
            "location united",
            "america flag",
            "america asn",
            "present jul",
            "virtool",
            "record value",
            "dnssec",
            "meta http",
            "content",
            "gmt server",
            "litespeed x",
            "present feb",
            "write c",
            "as62597 nsone",
            "as16509",
            "module load",
            "t1129",
            "service",
            "dynamicloader",
            "windows",
            "tofsee",
            "stream",
            "hostile",
            "win64",
            "delete c",
            "all ipv4",
            "url analysis",
            "status",
            "error",
            "aaaa",
            "ireland unknown",
            "asn as14618",
            "backdoor",
            "a domains",
            "russia",
            "mtb nov",
            "ransom",
            "displayname",
            "push",
            "yara rule",
            "loaderid",
            "lidfileupd",
            "localcfg",
            "rndhex",
            "rndchar",
            "checks",
            "checks system",
            "filehash",
            "av detections",
            "ids detections",
            "yara detections",
            "learn",
            "command",
            "adversaries",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "found",
            "ssl certificate",
            "flag",
            "server",
            "cloudflare",
            "csc corporate",
            "domains",
            "fireeye",
            "contacted hosts",
            "mitre att",
            "pattern match",
            "ck matrix",
            "hybrid",
            "local",
            "path",
            "click",
            "strings",
            "foundry",
            "josht.ca",
            "paid parking",
            "parking crews"
          ],
          "references": [
            "Fireye - FEDNS1.FIREEYE.COM",
            "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
            "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
            "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
            "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
            "http://p2d.josht.ca/assets/content-delivery/depots/download",
            "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca  \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
            "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/  \u2022 http://pma.josht.ca/  \u2022 http://sa.josht.ca",
            "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
            "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
            "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
            "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
            "https://p2d.josht.ca/api/depots/info/?depot=",
            "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
            "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
            "According to newspaper accounts and  Daisy Coleman committed suicide in Lakewood , Co  in 2021",
            "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
            "Daisy was allegedly brutally assaulted by Matthew Barnett,",
            "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
            "Is that where they\u2019re getting these names? Rexxfield.com. SMH",
            "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
            "According to accounts she was afraid for her life , found to be safe then took her own life?",
            "Typing a suicide note on social media is suspicious since it could come from your murderer.",
            "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
            "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
            "and our limited information, is Daisy a victim or a crisis actor?",
            "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
            "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
            "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
            "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
            "FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 7617,
            "domain": 1127,
            "hostname": 3591,
            "email": 9,
            "FileHash-SHA256": 1160,
            "FileHash-MD5": 481,
            "FileHash-SHA1": 404,
            "SSLCertFingerprint": 13,
            "CVE": 1
          },
          "indicator_count": 14403,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "168 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
        "https://vtbehaviour.commondatastorage.googleapis.com/88819f8dbc43e0609fbc6f6a1a9fb2740512b8e1e0f2d9e92926c31b8a11d446_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447466&Signature=nXchQzhNktG26CNrpPC2%2FRBVk5CXbCQ6xUNenWVvnvY2n5P71FF7HHw01QiPu3iGSvBSzqmHiB9HByI%2FJgWTdhqYvc9LZy0rI61W0%2FTNVhSNdb1omKNcCW1ikL2n7eR9BFV1ygPOAPnexLqjbK35hzq40mysRVPCVBcmrjs7NkxUh9nHkwmtOOR3Lz5NsYgdUX2AMqykR9pVoyTLy7tkl5Ap9keTZlEoE2RrK6MTO9HBhYPJD%2",
        "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
        "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
        "Y2K",
        "France",
        "Entrust to Sectigo- Review vendors",
        "Daisy was allegedly brutally assaulted by Matthew Barnett,",
        "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
        "US, Philippines, Ukraine, Iran, China. Alberta.",
        "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
        "Germany, Austria, and Switzerland GmbH",
        "APKMirror https://www.apkmirror.com",
        "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
        "Typing a suicide note on social media is suspicious since it could come from your murderer.",
        "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
        "https://vtbehaviour.commondatastorage.googleapis.com/0a563b64423a632dad9cb2b52129d79e1cd336902c699376b749b509ac34cc8b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773844718&Signature=IO42eMrLK%2FbIjlFqk5%2FGLr3hVuiKBEV%2F7z6YdTxH%2BKfch%2F5FpMOjzzpMyHE%2BjQrYjooxOOfFiuzomTf%2BKgpeO823xO3kVrolF7WjT%2BtRXU3WcJK8GwxuHM%2BeridLzjBJaEs36CMlTwvdgKwTrtyvYs2ZU%2BUZB9sZt%2Balg%2Bc%2Fhk3XSpyitjPffFVwVijVsh5XRZlDrgY%2BK9BDiOE0rXsuMt3mUVwJVmo5fL",
        "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
        "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
        "CA DMV- 2020 exploits, if even exist in your records, may be related.",
        "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448581&Signature=u1m6X7g3%2B46ZDMb0IvTTp%2FbBxgM9iZvfcHnyyGsaqQA%2BxHuw9ZcqfIkIme3jx7%2BblFBuowZqDr1PbGP28vbxcZhaskjIn3w04QkzN%2F6EWbNlPvabmBH3M0F%2FhfTEM8ayozqby2SPWv6azOEd%2FS3MXYnUsOzgOpSh1uIk0iduf4w1ePo4yJAdHv7fc0AUGPzRmssC0jpjqXzao%2F0qbg1JRMMBq0edJZqYiws6vIf%2B2d9O",
        "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448113&Signature=HGVwYzpWE71%2BbcncRqOn%2BGkFdoAcM0zUAWI1eJD1jsHDcrJKlqO9M0XORZQA5YJxAW65VvTW9omuEH7SypRLJu1W0P3VYs46P7H4Dz1TsNoaNKYhhqpYfKql%2BYbpF7jIqwNfYdG5Uya0aqcIeI7Wx22%2BpByMhnrECSPxpU6wII3hOhgINOcc1mqsMEFfCB4fd%2F3zvfmJ7Rc5HiEea5Qx%2Fm7tB7DjImzqZFtSAQh6qFcSNN",
        "Is that where they\u2019re getting these names? Rexxfield.com. SMH",
        "Spellbinding! Indeed. SpellEditor.exe",
        "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
        "and our limited information, is Daisy a victim or a crisis actor?",
        "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
        "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448247&Signature=KaOoC8k1CwemdPniC2jnlheSiP5jHQwh83WcgjNWDujHQ8F6N7qW1Q3lVUf%2FBjEofHhKuYofMNOHzuLgXjiq%2F4ie2jeMJ2kiAYHGeUvc8RFAO28YMWxIJPmcTSCLcxaOQNbzOOtMF2DO6%2Fw9IodVAr1Yv3SgvamznVqYCu5Din1Q7C0hAc68dxqEbYxXnk9hekwNuVZf81kyLJEmJbSWOxr0ONyt6e7qhV07xe4C1TIJXe%2BH6Zkc8Jp",
        "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449323&Signature=QsivAArVUulKH5N9EOkYOICShe0hR8W0UFhFsPq6t2rlRIdIvciMDBQZ4ooTbp7TpacdxQgFF%2Bi5tH9LdqhGhhF5JPkquaQ5Twm8UjTLbiV4v0PAECarE7LnIShAtYF1LNwCZ6BDcQLYYCofAYGAFJnVZjnwztoy32OFI6WldLKbOfNYUmLe2Api5KarnJezGIPSvZLOJLHh9e6ApJk0PwnTupqxWn0JORAZidwNrGjvoBMeb6gtWmgFnwTO",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449382&Signature=GsaicymiUqs49NLqLPAVvf%2Bv2RwudQDEfcp3TeWyX92n2qwqpH9HWCV422PIRfG9GUe5OGbnGO0mIkaCuWs9fgtMTHtoT6o2uIiPZQNhcAL2tWEv22GoGjIhK0MvnOKG1EKRAA9bdlP5tGpvgOM5usOM55tsgbPUQWGsB19CvRAPS6OZ1eIqrdpLiOeAKK2uIGkaOnOkD4njy1e15fQ0BGPY1rMjdenHRZDu9EXv2zfwqLiUNbp%2B",
        "According to accounts she was afraid for her life , found to be safe then took her own life?",
        "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca  \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/  \u2022 http://pma.josht.ca/  \u2022 http://sa.josht.ca",
        "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
        "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
        "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449270&Signature=y5dmd%2Br9iDNaXftiyxWZe5cWdAiIpA4H9u6vCT%2FdvFUKL7WV7S2HOKzRyETdhPd%2BF%2FoG5DQwjiN8Yvi10oC6iRsDQY6lbl34%2BOoaljXY4sg13Yyq9v9MMC5DrVBiOta4mYQFQL240y55PVUqOeWoTlaCvh9aA8Mn2iw5ITNNXJVpckpc9C37%2FxyFz8zFSmDEzj3pB2pggacPF34xQm4NB4hDB9ssqGeTsAbv41aOUu4XRV2pyMo9E0xtK2",
        "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
        "Google Docs 1.25.202.02 APK Download by Google LLC",
        "https://p2d.josht.ca/api/depots/info/?depot=",
        "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
        "Micro - Dates to look for specific: April/May/June 2025",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448055&Signature=Oo2OUSuLUWDZOZGoPlCv1tD%2FynOTQPpGUV9I%2FgvLt4ZafLu6Vnt%2FoOXLJA9nFZPH5AiUv%2FWd4huRf8%2BPiUQcGMkSOOYn3mJHyE2t6wNKj1BDNjEJ0ozgBjkzBrZ62UZn4p34YCFKx1mj%2BrH75IoSHpRUfJYvgHnJhElGEMhrJc7ieH0I%2FNpcLuxSy9sfujNonmjwsQj9ZWnkGvLPpmiljGhJIomaUZ6GITQcz6QqbInrBN3nHX6mGGk4",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448087&Signature=zly9PmlRQWb4KS0rNwSC6GG0MNzjm7KFDjr%2B%2Few6J4vqKF%2FJhJnnrYPcE0jJDw2QNhVbkyk0ZP2AmxrgmnTVhLcFijlR18xS82aHK99JxYTYDkmlFMr4U3ENyb3KVWsT%2BCuRbwN66pmHE4sdf33jQRi4ZUPxLJwtnLmhmpds%2BM38I%2Fv7pfRhbp7OYurf%2BJ0%2FQT2bwsg7sZEjDUQJ7HSqjOP8unxpFfBHNwC4wr9qawvlz8",
        "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
        "Gatsby Library Loader, DLL",
        "http://p2d.josht.ca/assets/content-delivery/depots/download",
        "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
        "People who exploit this put the US at risk. Bottom line.",
        "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
        "Amazon- Check new cert subscribers on or around Sept 15 2025",
        "Proton.me/Zenbox: Audit July 2025",
        "According to newspaper accounts and  Daisy Coleman committed suicide in Lakewood , Co  in 2021",
        "FireEye was there in 2 year old pulse now removed? I\u2019ll find it.",
        "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov]  for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
        "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
        "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
        "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
        "https://vtbehaviour.commondatastorage.googleapis.com/99bde29b5d7f5522c0452c95899f63a0cc99a465b516f7eb2980d519fe5a478c_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447513&Signature=vT05qRgkqzlTQQ09TU4VC1ZL9bRV9J6Tgx%2BLYi1Yop0ggmMd9LT5iNFG2AQr%2FZH%2F0pMgqHAgZy%2BRwWUtDV1qO5eBxL%2B8mGzJDZilm%2BhP3%2B%2BKQu%2F76vg8GcDLdxu%2FeLmkj8Dhp9pN4i2cytkeH5zr%2BRHZBvK4uQ47n1zLtlGUSsJ7YXGw%2BWQFVRvu%2B%2B11Jh1PF6x4jF%2B3IbYQ5CZcGLoGbo0PGkN",
        "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
        "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
        "Digi/Global Sign - audit 2020 digital intersect",
        "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
        "This document might expose someone, more than another.",
        "Fireye - FEDNS1.FIREEYE.COM"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [],
          "malware_families": [],
          "industries": [
            "Telecommunications",
            "Government"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 8,
  "pulses": [
    {
      "id": "69d967590f40c612c90ce84f",
      "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
      "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
      "modified": "2026-05-31T01:02:14",
      "created": "2026-04-10T21:10:49.749000",
      "tags": [
        "malicious",
        "Microsoft",
        "intent: reckless",
        "wiper",
        "Transip",
        "bankers document gone rogue",
        "Tehran",
        "pdfkit.net",
        "United",
        "broken Docusign seal",
        "esign violation",
        "us lawyers",
        "Iran",
        "IP Abuse US",
        "Spreader",
        "corruption that spread",
        "52.123.250.180",
        "Mass Data Loss and exfiltration",
        "Docusign exploited by insecure workflows",
        "Adobe exploited by insecure workflows",
        "threat map",
        "Infra / healthcare / more at risk from this negligence",
        "remediation: long. expire the certs. block 53..",
        "accountability, NOW.",
        "Burned",
        "Kitplay",
        "iOS",
        "Watering hole",
        "Webkit",
        "Religious Regime",
        "MS Office",
        "Compliance Hold Purgatory",
        "WIN EXE.32",
        "Firmware neutral",
        "Trusted Insider",
        "DKIM, SPF, DMARC Failures",
        "APKmirror",
        "ILOVEYOUBABY",
        "No Problems",
        "Christmas Tree EXEC Code Red worm Computer virus Nimda",
        "Wanna Cry",
        "APK",
        "DC RAT",
        "Emotnet",
        "Redline Swiper",
        "Open Door",
        "Bankers Document",
        "Y2K",
        "wsscript.exe, VBE",
        "Compliance Lock Trap",
        "Globalsign 2020 (potentially exploited)",
        "Heuristic Smear",
        "Gatsby Library Loader DLL",
        "w31999",
        "UofA"
      ],
      "references": [
        "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov]  for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
        "People who exploit this put the US at risk. Bottom line.",
        "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
        "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
        "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
        "",
        "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
        "This document might expose someone, more than another.",
        "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
        "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
        "Micro - Dates to look for specific: April/May/June 2025",
        "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
        "Amazon- Check new cert subscribers on or around Sept 15 2025",
        "Entrust to Sectigo- Review vendors",
        "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
        "CA DMV- 2020 exploits, if even exist in your records, may be related.",
        "Digi/Global Sign - audit 2020 digital intersect",
        "Proton.me/Zenbox: Audit July 2025",
        "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
        "APKMirror https://www.apkmirror.com",
        "Google Docs 1.25.202.02 APK Download by Google LLC",
        "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
        "Y2K",
        "US, Philippines, Ukraine, Iran, China. Alberta.",
        "France",
        "Germany, Austria, and Switzerland GmbH",
        "Gatsby Library Loader, DLL",
        "Spellbinding! Indeed. SpellEditor.exe"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Government",
        "Telecommunications"
      ],
      "TLP": "green",
      "cloned_from": "69a82c54067ca1d502b1eb6c",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 3921,
        "hostname": 1668,
        "CVE": 14,
        "URL": 1984,
        "domain": 1432,
        "FileHash-MD5": 882,
        "FileHash-SHA1": 946,
        "CIDR": 10,
        "email": 29,
        "JA3": 2,
        "IPv4": 11
      },
      "indicator_count": 10899,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "9 hours ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a103de1e71756a0b58ce416",
      "name": "secret camera * VirusTotal Windows Sandbox",
      "description": "[100s of thousands of people have signed a petition calling for an end to the use of the word \"sex\" in the wake of a fatal accident in London's West Bromwich, which left 11 people dead]<what is this?",
      "modified": "2026-05-22T12:27:31.937000",
      "created": "2026-05-22T11:28:33.791000",
      "tags": [
        "windows sandbox",
        "clear filters",
        "file type",
        "ascii text",
        "pe file",
        "https",
        "ms windows",
        "svg scalable",
        "vector graphics",
        "elite",
        "tls version",
        "unicode text",
        "persistence",
        "malicious",
        "next",
        "default",
        "parent pid",
        "full path",
        "command line",
        "inprocserver32",
        "data",
        "datacrashpad",
        "k localservice",
        "s ngcsvc",
        "s ngcctnrsvc",
        "windir",
        "registry",
        "basic",
        "file name",
        "pe32 executable",
        "intel",
        "file size",
        "sha1",
        "files mitre",
        "windows user",
        "account control",
        "windows",
        "forms",
        "source source",
        "command",
        "enterprise",
        "close",
        "strong",
        "library",
        "address virtual",
        "none rticon",
        "cname",
        "mwdb",
        "bazaar",
        "sha3384",
        "accept",
        "tofsee",
        "shutdown",
        "stream",
        "string id",
        "x5173x95ed",
        "control",
        "wixbundlename",
        "x53d6x6d88",
        "copyright",
        "width",
        "height",
        "helptext",
        "repair",
        "calls process",
        "Camera",
        "Spyware",
        "illegal",
        "test recall",
        "test recall task 5/12/25"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/88819f8dbc43e0609fbc6f6a1a9fb2740512b8e1e0f2d9e92926c31b8a11d446_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447466&Signature=nXchQzhNktG26CNrpPC2%2FRBVk5CXbCQ6xUNenWVvnvY2n5P71FF7HHw01QiPu3iGSvBSzqmHiB9HByI%2FJgWTdhqYvc9LZy0rI61W0%2FTNVhSNdb1omKNcCW1ikL2n7eR9BFV1ygPOAPnexLqjbK35hzq40mysRVPCVBcmrjs7NkxUh9nHkwmtOOR3Lz5NsYgdUX2AMqykR9pVoyTLy7tkl5Ap9keTZlEoE2RrK6MTO9HBhYPJD%2",
        "https://vtbehaviour.commondatastorage.googleapis.com/99bde29b5d7f5522c0452c95899f63a0cc99a465b516f7eb2980d519fe5a478c_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447513&Signature=vT05qRgkqzlTQQ09TU4VC1ZL9bRV9J6Tgx%2BLYi1Yop0ggmMd9LT5iNFG2AQr%2FZH%2F0pMgqHAgZy%2BRwWUtDV1qO5eBxL%2B8mGzJDZilm%2BhP3%2B%2BKQu%2F76vg8GcDLdxu%2FeLmkj8Dhp9pN4i2cytkeH5zr%2BRHZBvK4uQ47n1zLtlGUSsJ7YXGw%2BWQFVRvu%2B%2B11Jh1PF6x4jF%2B3IbYQ5CZcGLoGbo0PGkN",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448055&Signature=Oo2OUSuLUWDZOZGoPlCv1tD%2FynOTQPpGUV9I%2FgvLt4ZafLu6Vnt%2FoOXLJA9nFZPH5AiUv%2FWd4huRf8%2BPiUQcGMkSOOYn3mJHyE2t6wNKj1BDNjEJ0ozgBjkzBrZ62UZn4p34YCFKx1mj%2BrH75IoSHpRUfJYvgHnJhElGEMhrJc7ieH0I%2FNpcLuxSy9sfujNonmjwsQj9ZWnkGvLPpmiljGhJIomaUZ6GITQcz6QqbInrBN3nHX6mGGk4",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448087&Signature=zly9PmlRQWb4KS0rNwSC6GG0MNzjm7KFDjr%2B%2Few6J4vqKF%2FJhJnnrYPcE0jJDw2QNhVbkyk0ZP2AmxrgmnTVhLcFijlR18xS82aHK99JxYTYDkmlFMr4U3ENyb3KVWsT%2BCuRbwN66pmHE4sdf33jQRi4ZUPxLJwtnLmhmpds%2BM38I%2Fv7pfRhbp7OYurf%2BJ0%2FQT2bwsg7sZEjDUQJ7HSqjOP8unxpFfBHNwC4wr9qawvlz8",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448113&Signature=HGVwYzpWE71%2BbcncRqOn%2BGkFdoAcM0zUAWI1eJD1jsHDcrJKlqO9M0XORZQA5YJxAW65VvTW9omuEH7SypRLJu1W0P3VYs46P7H4Dz1TsNoaNKYhhqpYfKql%2BYbpF7jIqwNfYdG5Uya0aqcIeI7Wx22%2BpByMhnrECSPxpU6wII3hOhgINOcc1mqsMEFfCB4fd%2F3zvfmJ7Rc5HiEea5Qx%2Fm7tB7DjImzqZFtSAQh6qFcSNN",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448247&Signature=KaOoC8k1CwemdPniC2jnlheSiP5jHQwh83WcgjNWDujHQ8F6N7qW1Q3lVUf%2FBjEofHhKuYofMNOHzuLgXjiq%2F4ie2jeMJ2kiAYHGeUvc8RFAO28YMWxIJPmcTSCLcxaOQNbzOOtMF2DO6%2Fw9IodVAr1Yv3SgvamznVqYCu5Din1Q7C0hAc68dxqEbYxXnk9hekwNuVZf81kyLJEmJbSWOxr0ONyt6e7qhV07xe4C1TIJXe%2BH6Zkc8Jp",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448581&Signature=u1m6X7g3%2B46ZDMb0IvTTp%2FbBxgM9iZvfcHnyyGsaqQA%2BxHuw9ZcqfIkIme3jx7%2BblFBuowZqDr1PbGP28vbxcZhaskjIn3w04QkzN%2F6EWbNlPvabmBH3M0F%2FhfTEM8ayozqby2SPWv6azOEd%2FS3MXYnUsOzgOpSh1uIk0iduf4w1ePo4yJAdHv7fc0AUGPzRmssC0jpjqXzao%2F0qbg1JRMMBq0edJZqYiws6vIf%2B2d9O",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449270&Signature=y5dmd%2Br9iDNaXftiyxWZe5cWdAiIpA4H9u6vCT%2FdvFUKL7WV7S2HOKzRyETdhPd%2BF%2FoG5DQwjiN8Yvi10oC6iRsDQY6lbl34%2BOoaljXY4sg13Yyq9v9MMC5DrVBiOta4mYQFQL240y55PVUqOeWoTlaCvh9aA8Mn2iw5ITNNXJVpckpc9C37%2FxyFz8zFSmDEzj3pB2pggacPF34xQm4NB4hDB9ssqGeTsAbv41aOUu4XRV2pyMo9E0xtK2",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449323&Signature=QsivAArVUulKH5N9EOkYOICShe0hR8W0UFhFsPq6t2rlRIdIvciMDBQZ4ooTbp7TpacdxQgFF%2Bi5tH9LdqhGhhF5JPkquaQ5Twm8UjTLbiV4v0PAECarE7LnIShAtYF1LNwCZ6BDcQLYYCofAYGAFJnVZjnwztoy32OFI6WldLKbOfNYUmLe2Api5KarnJezGIPSvZLOJLHh9e6ApJk0PwnTupqxWn0JORAZidwNrGjvoBMeb6gtWmgFnwTO",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449382&Signature=GsaicymiUqs49NLqLPAVvf%2Bv2RwudQDEfcp3TeWyX92n2qwqpH9HWCV422PIRfG9GUe5OGbnGO0mIkaCuWs9fgtMTHtoT6o2uIiPZQNhcAL2tWEv22GoGjIhK0MvnOKG1EKRAA9bdlP5tGpvgOM5usOM55tsgbPUQWGsB19CvRAPS6OZ1eIqrdpLiOeAKK2uIGkaOnOkD4njy1e15fQ0BGPY1rMjdenHRZDu9EXv2zfwqLiUNbp%2B"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 4759,
        "hostname": 1513,
        "IPv4": 576,
        "FileHash-MD5": 1418,
        "FileHash-SHA1": 1413,
        "domain": 1263,
        "URL": 1550,
        "email": 27,
        "IPv6": 8,
        "CVE": 5
      },
      "indicator_count": 12532,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "8 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a070f0f379e50ef7c511974",
      "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25",
      "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom",
      "modified": "2026-05-17T05:42:57.697000",
      "created": "2026-05-15T12:18:22.918000",
      "tags": [
        "recovery",
        "name",
        "clothing",
        "dating",
        "concerns",
        "submission",
        "analysis",
        "utc html",
        "info title",
        "information",
        "makeup",
        "home",
        "rams twitter",
        "script tags"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 60,
        "FileHash-MD5": 53,
        "FileHash-SHA1": 94,
        "FileHash-SHA256": 360,
        "SSLCertFingerprint": 8,
        "URL": 246,
        "domain": 62,
        "email": 8,
        "hostname": 133,
        "Mutex": 1
      },
      "indicator_count": 1025,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "14 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a070f0dd165196deff2d1bf",
      "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25",
      "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom",
      "modified": "2026-05-17T05:42:56.951000",
      "created": "2026-05-15T12:18:21.528000",
      "tags": [
        "recovery",
        "name",
        "clothing",
        "dating",
        "concerns",
        "submission",
        "analysis",
        "utc html",
        "info title",
        "information",
        "makeup",
        "home",
        "rams twitter",
        "script tags"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 61,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 92,
        "FileHash-SHA256": 346,
        "SSLCertFingerprint": 8,
        "URL": 245,
        "domain": 62,
        "email": 8,
        "hostname": 132
      },
      "indicator_count": 1005,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "14 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bab8ec17587e77fb87296c",
      "name": "CAPE Sandbox - Immediate Research",
      "description": "Hundreds of thousands of people have signed an online petition calling for the removal of the UK's Prime Minister, David Cameron, from the EU's EU referendum, which has now been held in Germany.",
      "modified": "2026-04-17T14:12:53.840000",
      "created": "2026-03-18T14:38:36.655000",
      "tags": [
        "strong",
        "library",
        "address virtual",
        "host",
        "name",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "ironchain",
        "accept",
        "bitcoin",
        "service",
        "date",
        "execution",
        "openssl",
        "python",
        "title",
        "shutdown",
        "impact",
        "whirlpool",
        "project",
        "enterprise",
        "ransomware",
        "body",
        "crypt32"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/0a563b64423a632dad9cb2b52129d79e1cd336902c699376b749b509ac34cc8b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773844718&Signature=IO42eMrLK%2FbIjlFqk5%2FGLr3hVuiKBEV%2F7z6YdTxH%2BKfch%2F5FpMOjzzpMyHE%2BjQrYjooxOOfFiuzomTf%2BKgpeO823xO3kVrolF7WjT%2BtRXU3WcJK8GwxuHM%2BeridLzjBJaEs36CMlTwvdgKwTrtyvYs2ZU%2BUZB9sZt%2Balg%2Bc%2Fhk3XSpyitjPffFVwVijVsh5XRZlDrgY%2BK9BDiOE0rXsuMt3mUVwJVmo5fL"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1490",
          "name": "Inhibit System Recovery",
          "display_name": "T1490 - Inhibit System Recovery"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1548",
          "name": "Abuse Elevation Control Mechanism",
          "display_name": "T1548 - Abuse Elevation Control Mechanism"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 219,
        "FileHash-SHA1": 163,
        "FileHash-SHA256": 242,
        "domain": 41,
        "hostname": 95,
        "URL": 96,
        "email": 2
      },
      "indicator_count": 858,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "43 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf44d55f8a0cac0847df73",
      "name": "VirusTotal report\n                    for emdprestamos-release.jar",
      "description": "",
      "modified": "2026-03-22T01:24:37.323000",
      "created": "2026-03-22T01:24:37.323000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 87,
        "FileHash-SHA1": 97,
        "FileHash-SHA256": 989,
        "domain": 25,
        "URL": 17,
        "hostname": 9
      },
      "indicator_count": 1224,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "70 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf44d3279c3850bad26369",
      "name": "VirusTotal report\n                    for emdprestamos-release.jar",
      "description": "",
      "modified": "2026-03-22T01:24:35.555000",
      "created": "2026-03-22T01:24:35.555000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 87,
        "FileHash-SHA1": 97,
        "FileHash-SHA256": 989,
        "domain": 25,
        "URL": 17,
        "hostname": 9
      },
      "indicator_count": 1224,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "70 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6916dc43beba2f3839fd7c36",
      "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
      "description": "FireEye appears to have been a Cybersecurity  that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ;  reported false information / documentation. FEDNS1.FIREEYE.COM  URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
      "modified": "2025-12-14T05:04:31.480000",
      "created": "2025-11-14T07:37:39.794000",
      "tags": [
        "gmt content",
        "related tags",
        "found title",
        "cache control",
        "x request",
        "runtime",
        "vary",
        "reverse dns",
        "ashburn",
        "resource",
        "verdict",
        "address",
        "read c",
        "unicode",
        "high",
        "memcommit",
        "delete",
        "dock",
        "write",
        "execution",
        "next associated",
        "server response",
        "port",
        "destination",
        "crlf line",
        "malware",
        "png image",
        "rgba",
        "united states",
        "medium",
        "encrypt",
        "america",
        "msie",
        "unknown",
        "present jan",
        "name servers",
        "present oct",
        "present may",
        "present mar",
        "present dec",
        "present nov",
        "united",
        "present apr",
        "present jun",
        "urls show",
        "url hostname",
        "ip address",
        "google safe",
        "results jun",
        "canada unknown",
        "passive dns",
        "canada",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "twitter",
        "chrome",
        "urls",
        "files",
        "asn as13335",
        "dns resolutions",
        "trojan",
        "trojanspy",
        "win32",
        "title",
        "servers",
        "unknown ns",
        "domain",
        "present aug",
        "present sep",
        "files domain",
        "files related",
        "none google",
        "safe browsing",
        "unknown aaaa",
        "moved",
        "cloudfront x",
        "meta",
        "ip whois",
        "registrar",
        "hostname",
        "files ip",
        "ipv4 add",
        "location united",
        "america flag",
        "america asn",
        "present jul",
        "virtool",
        "record value",
        "dnssec",
        "meta http",
        "content",
        "gmt server",
        "litespeed x",
        "present feb",
        "write c",
        "as62597 nsone",
        "as16509",
        "module load",
        "t1129",
        "service",
        "dynamicloader",
        "windows",
        "tofsee",
        "stream",
        "hostile",
        "win64",
        "delete c",
        "all ipv4",
        "url analysis",
        "status",
        "error",
        "aaaa",
        "ireland unknown",
        "asn as14618",
        "backdoor",
        "a domains",
        "russia",
        "mtb nov",
        "ransom",
        "displayname",
        "push",
        "yara rule",
        "loaderid",
        "lidfileupd",
        "localcfg",
        "rndhex",
        "rndchar",
        "checks",
        "checks system",
        "filehash",
        "av detections",
        "ids detections",
        "yara detections",
        "learn",
        "command",
        "adversaries",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "spawns",
        "found",
        "ssl certificate",
        "flag",
        "server",
        "cloudflare",
        "csc corporate",
        "domains",
        "fireeye",
        "contacted hosts",
        "mitre att",
        "pattern match",
        "ck matrix",
        "hybrid",
        "local",
        "path",
        "click",
        "strings",
        "foundry",
        "josht.ca",
        "paid parking",
        "parking crews"
      ],
      "references": [
        "Fireye - FEDNS1.FIREEYE.COM",
        "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
        "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
        "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
        "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
        "http://p2d.josht.ca/assets/content-delivery/depots/download",
        "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca  \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/  \u2022 http://pma.josht.ca/  \u2022 http://sa.josht.ca",
        "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
        "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
        "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
        "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
        "https://p2d.josht.ca/api/depots/info/?depot=",
        "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
        "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
        "According to newspaper accounts and  Daisy Coleman committed suicide in Lakewood , Co  in 2021",
        "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
        "Daisy was allegedly brutally assaulted by Matthew Barnett,",
        "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
        "Is that where they\u2019re getting these names? Rexxfield.com. SMH",
        "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
        "According to accounts she was afraid for her life , found to be safe then took her own life?",
        "Typing a suicide note on social media is suspicious since it could come from your murderer.",
        "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
        "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
        "and our limited information, is Daisy a victim or a crisis actor?",
        "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
        "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
        "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
        "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
        "FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 6,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 7617,
        "domain": 1127,
        "hostname": 3591,
        "email": 9,
        "FileHash-SHA256": 1160,
        "FileHash-MD5": 481,
        "FileHash-SHA1": 404,
        "SSLCertFingerprint": 13,
        "CVE": 1
      },
      "indicator_count": 14403,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "168 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "tidelift.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "tidelift.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780221967.8516104
}