{ "type": "Domain", "indicator": "userinfo.email", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/userinfo.email", "alexa": "http://www.alexa.com/siteinfo/userinfo.email", "indicator": "userinfo.email", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2898804266, "indicator": "userinfo.email", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ef4ad212dd34e79e44a76", "name": "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft", "description": "Mandiant has reported a significant uptick in activities by threat actors associated with the ShinyHunters brand, particularly focusing on sophisticated vishing techniques and the use of credential harvesting websites to infiltrate corporate environments. The primary objective of these operations is to gain access to sensitive corporate data, particularly from cloud-based software-as-a-service (SaaS) applications, which the threat actors subsequently exfiltrate for extortion purposes.\n\nThe threat group UNC6661 has been active from early to mid-January 2026, impersonating IT staff to manipulate employees into providing their single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. This was accomplished by directing victims to phishing sites that replicated the branding of their organizations. The phishing domains associated with UNC6661 typically followed a naming pattern such as http://companynamesso.com or http://companynameinternal.com, being registered with NICENIC.", "modified": "2026-03-03T06:01:35.612000", "created": "2026-02-01T06:37:33.496000", "tags": [ "unc6671", "unc6661", "iocs", "january", "it staff", "tucows", "okta customer", "mandiant", "powershell", "sharepoint", "threat intelligence" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "public": 1, "adversary": "Shinyhunters", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 6, "email": 2, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d0c4cb716b88c464c666c3", "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios", "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "modified": "2025-05-15T09:15:39.493000", "created": "2024-08-29T18:58:19.338000", "tags": [ "Bios", "Virus", "Sucky", "Bluetooth", "CryptoMining", "Keylogging", "Crypto", "Euif", "Best", "Persistant", "Survives Reformat", "No Help", "Buy", "WhinySuckyBaby", "Squad", "Whiny", "Mark Monitor", "Digital Stalking", "Best Buy", "Baby", "w3.org", "Geek" ], "references": [ "", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Https://BiosVir.us", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 13, "follower_count": 0, "vote": 0, "author": { "username": "Jeff4Son", "id": "291365", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 420, "FileHash-SHA256": 966, "URL": 620, "domain": 531, "hostname": 1564, "email": 6, "SSLCertFingerprint": 13 }, "indicator_count": 4542, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a464c07b076a6022abbe", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-12-06T16:42:12.952000", "created": "2023-12-06T16:42:12.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0c0b966ec5b823d2ae7", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer", "description": "", "modified": "2023-12-06T16:26:40.335000", "created": "2023-12-06T16:26:40.335000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a05bc6152413ed0fdbaa", "name": "Social Engineering -Striven Anonymizer", "description": "", "modified": "2023-12-06T16:24:59.615000", "created": "2023-12-06T16:24:59.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e26c454e86439fd9462541", "name": "Social Engineering -Striven Anonymizer", "description": "Optin Example: Affected (device w/vulnerabilities or in BotNetwork, etc) clocks on a ' Sponsored Ad' that fits search query. Will view webpage and Optin to be contacted by email and/or telephone. Both methods will likely be required by attacker. Bad actor will call immediately, quality of call can be surprisingly poor (obnoxiously noisy), BA takes assessment, quotes prices much higher than should be. You are desperate because no one else can help. Actor will demand email, will send various attachments, all malicious. Will not look suspicious, (strategy, video introduction, proposal, etc). Once you don't respond you may receive email contact from different email, more attachments. Follow ups...by now bad actor has full use of device. Spyware. Apps auto download, blocked from removal. Incredible cycle.\n\n\nLogin.aspx192.118.8.10 = 192.118.8.10\niphones.orange.co.il\nhttps://www.partner.co.il/n/login?utm_source=sm", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-20T19:40:53.299000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7c73087130803d20066ef", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer ", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-24T21:10:08.493000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6500a47dd316d0ea5616044d", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-09-12T17:48:45.349000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "All - EnterpriseAppsList.csv", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "https://tria.ge/240521-q4s79agb25/static1", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://login.striven.com/Security/Login.aspx192.118.8.10", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "com.example.parentguard", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://tria.ge/240517-vqxezaaa33/behavioral1", "MilesIT", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "Https://BiosVir.us", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "AppRegistrationList.csv", "Additional research by Q.Vashti", "Thor Scan: S-I9VvMTB6cZU", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6", "https://tria.ge/240517-vdwb5shc71/behavioral1", "The app\u2019s package name \u2014 com.example.parentguard", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "https://tria.ge/240517-t9pc2ahb2t", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "The software is sold on a subscription basis starting from $60.", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "Android Permissions Below:", "https://urlscan.io/search/#ualberta.ca", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "Https://BluetoothVirus.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "IOCs-May1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Striven", "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "Shinyhunters" ], "malware_families": [ "Alf:androidossuspiciousperms.a", "Alf:monitoringtool:androidos/finspy", "Black basta (elf)", "Remote access" ], "industries": [ "Technology", "Government", "Education", "Cyber security", "Healthcare", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ef4ad212dd34e79e44a76", "name": "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft", "description": "Mandiant has reported a significant uptick in activities by threat actors associated with the ShinyHunters brand, particularly focusing on sophisticated vishing techniques and the use of credential harvesting websites to infiltrate corporate environments. The primary objective of these operations is to gain access to sensitive corporate data, particularly from cloud-based software-as-a-service (SaaS) applications, which the threat actors subsequently exfiltrate for extortion purposes.\n\nThe threat group UNC6661 has been active from early to mid-January 2026, impersonating IT staff to manipulate employees into providing their single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. This was accomplished by directing victims to phishing sites that replicated the branding of their organizations. The phishing domains associated with UNC6661 typically followed a naming pattern such as http://companynamesso.com or http://companynameinternal.com, being registered with NICENIC.", "modified": "2026-03-03T06:01:35.612000", "created": "2026-02-01T06:37:33.496000", "tags": [ "unc6671", "unc6661", "iocs", "january", "it staff", "tucows", "okta customer", "mandiant", "powershell", "sharepoint", "threat intelligence" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "public": 1, "adversary": "Shinyhunters", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 6, "email": 2, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d0c4cb716b88c464c666c3", "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios", "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "modified": "2025-05-15T09:15:39.493000", "created": "2024-08-29T18:58:19.338000", "tags": [ "Bios", "Virus", "Sucky", "Bluetooth", "CryptoMining", "Keylogging", "Crypto", "Euif", "Best", "Persistant", "Survives Reformat", "No Help", "Buy", "WhinySuckyBaby", "Squad", "Whiny", "Mark Monitor", "Digital Stalking", "Best Buy", "Baby", "w3.org", "Geek" ], "references": [ "", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Https://BiosVir.us", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 13, "follower_count": 0, "vote": 0, "author": { "username": "Jeff4Son", "id": "291365", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 420, "FileHash-SHA256": 966, "URL": 620, "domain": 531, "hostname": 1564, "email": 6, "SSLCertFingerprint": 13 }, "indicator_count": 4542, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a464c07b076a6022abbe", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-12-06T16:42:12.952000", "created": "2023-12-06T16:42:12.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0c0b966ec5b823d2ae7", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer", "description": "", "modified": "2023-12-06T16:26:40.335000", "created": "2023-12-06T16:26:40.335000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a05bc6152413ed0fdbaa", "name": "Social Engineering -Striven Anonymizer", "description": "", "modified": "2023-12-06T16:24:59.615000", "created": "2023-12-06T16:24:59.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e26c454e86439fd9462541", "name": "Social Engineering -Striven Anonymizer", "description": "Optin Example: Affected (device w/vulnerabilities or in BotNetwork, etc) clocks on a ' Sponsored Ad' that fits search query. Will view webpage and Optin to be contacted by email and/or telephone. Both methods will likely be required by attacker. Bad actor will call immediately, quality of call can be surprisingly poor (obnoxiously noisy), BA takes assessment, quotes prices much higher than should be. You are desperate because no one else can help. Actor will demand email, will send various attachments, all malicious. Will not look suspicious, (strategy, video introduction, proposal, etc). Once you don't respond you may receive email contact from different email, more attachments. Follow ups...by now bad actor has full use of device. Spyware. Apps auto download, blocked from removal. Incredible cycle.\n\n\nLogin.aspx192.118.8.10 = 192.118.8.10\niphones.orange.co.il\nhttps://www.partner.co.il/n/login?utm_source=sm", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-20T19:40:53.299000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "userinfo.email", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "userinfo.email", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180756.3779047 }