{ "type": "Domain", "indicator": "twisttango.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/twisttango.com", "alexa": "http://www.alexa.com/siteinfo/twisttango.com", "indicator": "twisttango.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3427302638, "indicator": "twisttango.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677535a1069ac7483513fc96", "name": "An error has occurred https://errors.edgesuite.net/18.ficee2017.1735732606.32416504", "description": "If you're trying to find out what's going wrong on your website, you may have found an error on the page. and it's not the same as the previous request. the following:", "modified": "2025-01-31T12:00:04.669000", "created": "2025-01-01T12:31:29.983000", "tags": [ "translate error", "string tool", "hamburger", "support" ], "references": [ "https://errors.edgesuite.net/18.ficee2017.1735732606.32416504", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/eum/results.txt", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/favicon.ico" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 102, "hostname": 396, "FileHash-MD5": 90, "FileHash-SHA1": 24, "FileHash-SHA256": 197, "domain": 64, "CVE": 5 }, "indicator_count": 878, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c01dca4e6c505e4fca0", "name": "Hostgator - whitelisted", "description": "", "modified": "2023-12-06T14:58:09.135000", "created": "2023-12-06T14:58:09.135000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 692, "hostname": 1339, "domain": 1260, "URL": 4622, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "909 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f112112bb456382bee7c9", "name": "Hostgator - whitelisted", "description": "Firing Rule, IRF.util.com, is set to go live on the internet after it was triggered by a new rule, but if it is not already in place, it will not load.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T19:44:33.964000", "tags": [ "webkitkeyframes", "helvetica neue", "helvetica", "arial", "45deg", "100vw", "typetext", "copyright", "closure library", "affiliatepage", "tospage", "banner", "iab2", "acceptall", "rejectall", "genven", "expecting iab", "iab tcf", "oldcctid", "newdomainid", "unknown", "checkbox", "date", "component", "apptree", "hnull", "fcee", "typeof t", "typeerror", "qss7", "error", "promise", "hfunction", "typeof e", "rfc3986", "string", "array", "rfc1738", "object", "sr1t", "typeof symbol", "animation", "null", "rnull", "forwardref", "typeof n", "nullt", "cxlc", "dptw", "dtha", "gdzw", "gurp", "w0b4", "kjy9", "uigm", "ve6h", "event", "currency", "currencysymbol", "ucvw", "ofunction", "ocsf", "xfunction", "urlsearchparams", "open", "symbol", "nfunction", "lfunction", "ufunction", "typeof window", "typeof self", "hj", "09af", "regexp", "irmstevent", "bad expr", "hotjar", "email", "telefon", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "n color", "number", "customevent", "n strictly", "hostn host", "button", "cookie tracking", "close", "campaign", "decision", "action", "page", "controller", "must", "visitor", "groupstart", "info", "obsolete", "false", "reduceright", "portland", "trackevent", "query", "u003cu003e", "trackpageview", "code", "path", "click", "derek", "void", "gsxr89skrrs", "r300", "uint8array", "typeof d", "caca", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "boolean", "function", "service", "phonenumber", "ver0", "tag0", "extdata0", "ua ch", "invalid", "which", "thank", "hostgator", "poll", "primary intent", "iwe didn", "f39c11", "team", "script", "array int8array", "caregexp", "legacy", "irfcd", "error setting", "irgbd", "outer", "dynamic tag", "variable", "rule", "expr", "inline script" ], "references": [ "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.googleadservices.com/pagead/conversion_async.js", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "https://bat.bing.com/bat.js", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "https://cdn3.optimizely.com/js/geo4.js", "https://cdn.optimizely.com/js/13477600374.js", "https://bat.bing.com/p/action/5797759.js", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1339, "URL": 4622, "domain": 1260, "FileHash-SHA256": 692, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "https://www.googleadservices.com/pagead/conversion_async.js", "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "aig.com", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "remoteaccess.aig.com", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://cdn.optimizely.com/js/13477600374.js", "https://cdn3.optimizely.com/js/geo4.js", "location.search", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/eum/results.txt", "https://bat.bing.com/bat.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "https://remote.goeaston.net", "https://urlscan.io", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/favicon.ico", "https://errors.edgesuite.net/18.ficee2017.1735732606.32416504", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "https://connect.facebook.net/en_US/fbevents.js", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://bat.bing.com/p/action/5797759.js", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "window.location.search" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "American International" ], "malware_families": [ "Domino", "Carbanak", "American international", "Ransomware", "Project nemesis", "Rokrat", "Hj", "Cobalt strike", "Quasar rat", "Lizar", "Reduceright" ], "industries": [ "Financial", "Reinsurance", "Hospitality", "Travel" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677535a1069ac7483513fc96", "name": "An error has occurred https://errors.edgesuite.net/18.ficee2017.1735732606.32416504", "description": "If you're trying to find out what's going wrong on your website, you may have found an error on the page. and it's not the same as the previous request. the following:", "modified": "2025-01-31T12:00:04.669000", "created": "2025-01-01T12:31:29.983000", "tags": [ "translate error", "string tool", "hamburger", "support" ], "references": [ "https://errors.edgesuite.net/18.ficee2017.1735732606.32416504", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/eum/results.txt", "https://naojuplacbla4z3vcbjq-p83hcm-eadaebdbd-clientnsv4-s.akamaihd.net/favicon.ico" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 102, "hostname": 396, "FileHash-MD5": 90, "FileHash-SHA1": 24, "FileHash-SHA256": 197, "domain": 64, "CVE": 5 }, "indicator_count": 878, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c01dca4e6c505e4fca0", "name": "Hostgator - whitelisted", "description": "", "modified": "2023-12-06T14:58:09.135000", "created": "2023-12-06T14:58:09.135000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 692, "hostname": 1339, "domain": 1260, "URL": 4622, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "909 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f112112bb456382bee7c9", "name": "Hostgator - whitelisted", "description": "Firing Rule, IRF.util.com, is set to go live on the internet after it was triggered by a new rule, but if it is not already in place, it will not load.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T19:44:33.964000", "tags": [ "webkitkeyframes", "helvetica neue", "helvetica", "arial", "45deg", "100vw", "typetext", "copyright", "closure library", "affiliatepage", "tospage", "banner", "iab2", "acceptall", "rejectall", "genven", "expecting iab", "iab tcf", "oldcctid", "newdomainid", "unknown", "checkbox", "date", "component", "apptree", "hnull", "fcee", "typeof t", "typeerror", "qss7", "error", "promise", "hfunction", "typeof e", "rfc3986", "string", "array", "rfc1738", "object", "sr1t", "typeof symbol", "animation", "null", "rnull", "forwardref", "typeof n", "nullt", "cxlc", "dptw", "dtha", "gdzw", "gurp", "w0b4", "kjy9", "uigm", "ve6h", "event", "currency", "currencysymbol", "ucvw", "ofunction", "ocsf", "xfunction", "urlsearchparams", "open", "symbol", "nfunction", "lfunction", "ufunction", "typeof window", "typeof self", "hj", "09af", "regexp", "irmstevent", "bad expr", "hotjar", "email", "telefon", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "n color", "number", "customevent", "n strictly", "hostn host", "button", "cookie tracking", "close", "campaign", "decision", "action", "page", "controller", "must", "visitor", "groupstart", "info", "obsolete", "false", "reduceright", "portland", "trackevent", "query", "u003cu003e", "trackpageview", "code", "path", "click", "derek", "void", "gsxr89skrrs", "r300", "uint8array", "typeof d", "caca", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "boolean", "function", "service", "phonenumber", "ver0", "tag0", "extdata0", "ua ch", "invalid", "which", "thank", "hostgator", "poll", "primary intent", "iwe didn", "f39c11", "team", "script", "array int8array", "caregexp", "legacy", "irfcd", "error setting", "irgbd", "outer", "dynamic tag", "variable", "rule", "expr", "inline script" ], "references": [ "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.googleadservices.com/pagead/conversion_async.js", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "https://bat.bing.com/bat.js", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "https://cdn3.optimizely.com/js/geo4.js", "https://cdn.optimizely.com/js/13477600374.js", "https://bat.bing.com/p/action/5797759.js", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1339, "URL": 4622, "domain": 1260, "FileHash-SHA256": 692, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "twisttango.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "twisttango.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780265402.5162919 }