{ "type": "Domain", "indicator": "whenstarrsalign.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/whenstarrsalign.com", "alexa": "http://www.alexa.com/siteinfo/whenstarrsalign.com", "indicator": "whenstarrsalign.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4337151382, "indicator": "whenstarrsalign.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack", "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications", "Education", "Technology", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "whenstarrsalign.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "whenstarrsalign.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780336011.0200195 }