{ "type": "Domain", "indicator": "vulners.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/vulners.com", "alexa": "http://www.alexa.com/siteinfo/vulners.com", "indicator": "vulners.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "whitelist", "message": "Whitelisted domain vulners.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 1601861002, "indicator": "vulners.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 30, "pulses": [ { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13404a015fc885f5edb1c9", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:38.213000", "created": "2026-05-24T18:15:38.213000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1340485f49d8abce143eea", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:36.238000", "created": "2026-05-24T18:15:36.238000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afca8042c6fe9412bfa29b", "name": "Red Team & Law Firm hijack targets Denver, Arizona, Indiana", "description": "", "modified": "2024-01-23T14:17:36.291000", "created": "2024-01-23T14:17:36.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aec0fde095e6b58d81150c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "858 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afbae2f2128524e68c4344", "name": "RED TEAM ", "description": "", "modified": "2024-01-23T13:10:58.488000", "created": "2024-01-23T13:10:58.488000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aebfa135f9d1d8ba5d74a9", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "craignbmed", "id": "181999", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_181999/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "858 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aec5db33e8f0cb8010282c", "name": "Dark Angels Newest Threat -ESXi Ransomware [Pulse created by another user]", "description": "", "modified": "2024-01-22T19:45:31.378000", "created": "2024-01-22T19:45:31.378000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aec0fde095e6b58d81150c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "859 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aec0fde095e6b58d81150c", "name": "Red Team & Law Firm attack target [copy users pulse] Denver, Arizona, Indiana, Germany", "description": "", "modified": "2024-01-22T19:24:45.664000", "created": "2024-01-22T19:24:45.664000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aebfa135f9d1d8ba5d74a9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "859 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aebfa135f9d1d8ba5d74a9", "name": "Red Team - Cyber Security Defense Team attacking individuals for Attorney [copy]", "description": "", "modified": "2024-01-22T19:18:57.869000", "created": "2024-01-22T19:18:57.869000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f9a3d87b76cacd54245", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "859 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4049421d107b6ade1c0", "name": "", "description": "", "modified": "2023-12-06T16:40:36.624000", "created": "2023-12-06T16:40:36.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3fdf7637f464de729d2", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:40:29.875000", "created": "2023-12-06T16:40:29.875000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3f88930c56241d29c80", "name": "Spammer", "description": "", "modified": "2023-12-06T16:40:24.522000", "created": "2023-12-06T16:40:24.522000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3f24e8fd846cc01d23e", "name": "DGA DOMAIN", "description": "", "modified": "2023-12-06T16:40:18.209000", "created": "2023-12-06T16:40:18.209000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3ec011405ef6fcd8cb0", "name": "Passive DNS", "description": "", "modified": "2023-12-06T16:40:12.247000", "created": "2023-12-06T16:40:12.247000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709f9a3d87b76cacd54245", "name": "Concerning link. Honeypot? Red Team? Privilege Abuse? Probably", "description": "", "modified": "2023-12-06T16:21:46.026000", "created": "2023-12-06T16:21:46.026000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ff7c709c8a4e9c777c77fb", "name": " ", "description": "", "modified": "2023-09-11T20:45:36.974000", "created": "2023-09-11T20:45:36.974000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64ff7c5912f586a9a6f1d051", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "992 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ff7c5912f586a9a6f1d051", "name": " '_'", "description": "", "modified": "2023-09-11T20:45:13.685000", "created": "2023-09-11T20:45:13.685000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64ff7c3e317fca955b512771", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "992 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ff7c3e317fca955b512771", "name": "Spammer ", "description": "", "modified": "2023-09-11T20:44:46.122000", "created": "2023-09-11T20:44:46.122000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64ff7c15511f0383f74b70e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "992 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ff7c15511f0383f74b70e0", "name": "DGA DOMAIN ", "description": "", "modified": "2023-09-11T20:44:05.332000", "created": "2023-09-11T20:44:05.332000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64ff7b32ed4ca99b3a372173", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "992 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ff7b32ed4ca99b3a372173", "name": "Passive DNS ", "description": "", "modified": "2023-09-11T20:40:18.041000", "created": "2023-09-11T20:40:18.041000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d6a36bb35a9bfd13925ed3", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "992 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d6a36bb35a9bfd13925ed3", "name": "Concerning link. Honeypot? Red Team? Privilege Abuse? Probably", "description": "Hacked from VT by malicious code. Was a malicious link.\n(Not me I'm working alongside a hacker as always: The full text of the full report on the GoDaddy.com website, which was created in 2010, has been released.. and is available to view on www.happylifehappywife.)", "modified": "2023-09-11T01:03:05.359000", "created": "2023-08-11T21:08:59.401000", "tags": [ "united", "script urls", "path max", "age86400 set", "cookie", "passive dns", "urls", "creation date", "search", "record value", "unknown", "date", "body", "domain related", "status", "value dnssec", "domain name", "expiration date", "llc state", "arizona status", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1556, "hostname": 1962, "URL": 5396, "email": 23, "FileHash-SHA256": 2497, "FileHash-MD5": 193, "FileHash-SHA1": 163, "CVE": 2 }, "indicator_count": 11792, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "993 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://n0paste.eu/UH6n5pD/", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "as15169", "Verification failure observed in automated verification handlers during sandbox replay.", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act" ], "malware_families": [ "Norwell" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Education", "Technology", "Healthcare", "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 30, "pulses": [ { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13404a015fc885f5edb1c9", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:38.213000", "created": "2026-05-24T18:15:38.213000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1340485f49d8abce143eea", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:36.238000", "created": "2026-05-24T18:15:36.238000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "vulners.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "vulners.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214859.584315 }