{ "type": "Domain", "indicator": "xmlns.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/xmlns.com", "alexa": "http://www.alexa.com/siteinfo/xmlns.com", "indicator": "xmlns.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain xmlns.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2603725468, "indicator": "xmlns.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af483e0e2ee05752043cd", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:55.844000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af480b45560b4ae78a863", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:52.767000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6656e6dbbe018a2dcb28a8e0", "name": "advancedstream.net - Acquired Apple iOS infrastructure, DNS,", "description": "Apple iOS service modifier.", "modified": "2024-06-28T08:01:11.978000", "created": "2024-05-29T08:27:07.009000", "tags": [ "reverse dns", "location united", "america flag", "lakewood", "united", "america asn", "dns resolutions", "domain", "domain status", "server", "algorithm", "key usage", "xcitium verdict", "cloud", "popularity", "rank position", "info", "date", "registrar abuse", "iana id", "contact phone", "dnssec", "registrar url", "registrar whois", "llc registry", "expiry date", "first", "law firm", "fort wayne", "co", "referrer", "historical ssl", "name verdict", "falcon sandbox", "sha256", "ascii text", "sha1", "size", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "span", "hybrid", "body", "footer", "contact", "local", "encrypt", "click", "facebook", "strings", "meta", "district", "generator", "code", "service", "bill", "nemtih", "sredrum", "co lp", "dynamicloader", "default", "medium", "show", "http request", "http", "delete", "ids detections", "yara detections", "copy", "powershell", "win64", "write", "malware", "download", "malware", "trojan", "windows", "shellexecuteexw", "search", "entries", "writeconsolew", "registry", "t1031", "modify existing", "dock", "win32" ], "references": [ "Reverse DNS: advancedstream.net Location: United States of America - Lakewood, Colorado United States of America", "ASN AS30170 isomedia inc. DNS Resolutions 1 Domain", "spamgateway.advancedstream.net", "smtpha.momentumtelecom.com", "cityoffortwayne.org | detect.cityoffortwayne.org | https://engage.cityoffortwayne.org/", "https://utilities.cityoffortwayne.org/wp-content/uploads/2023/05/2023-Biosolids-Info-Sheet.pdf", "podcast.hallco.org hmmm? Who could it be.", "IDS Detections: PE EXE or DLL Windows file download HTTP | SUSPICIOUS Dotted Quad Host MZ Response | Packed Executable Download", "IDS Detectionsa: Executable Download from dotted-quad Host | Terse alphanumeric executable downloader high likelihood of being hostile", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "Alerts: network_ip_exe network_questionable_http_path suricata_alert", "Alerts: dynamic_function_loading powershell_download powershell_request network_cnc_http network_http", "Alerts: dead_connect antivm_network_adapters", "https://otx.alienvault.com/indicator/file/a909dd4960d4da51de82e4dfff0a5aa60e35da6b2845680716ad832dc1d8b010", "http://www.leechburg.k12.pa.us/cms/lib09/PA01916522/Centricity/Domain/4/Mr.%20Ritzel%20obituary.pdf", "https://ato.gov.au.69741db048f4bdd03a6dad409e702ab4.grantelgin.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:CoinminerX-gen\\ [Trj]", "display_name": "Win32:CoinminerX-gen\\ [Trj]", "target": null }, { "id": "Win.Malware.Tofsee-6958935-0", "display_name": "Win.Malware.Tofsee-6958935-0", "target": null }, { "id": "Trojan:Win32/SmokeLoader.YL", "display_name": "Trojan:Win32/SmokeLoader.YL", "target": "/malware/Trojan:Win32/SmokeLoader.YL" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 338, "FileHash-SHA1": 77, "email": 2, "hostname": 497, "URL": 928, "FileHash-SHA256": 572, "FileHash-MD5": 76, "SSLCertFingerprint": 6 }, "indicator_count": 2496, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2f9169d6996c1c928ac0b", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:56:54.333000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2f9200337f0d1fa195ada", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:57:04.197000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "Alerts: dead_connect antivm_network_adapters", "https://ato.gov.au.69741db048f4bdd03a6dad409e702ab4.grantelgin.com/", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "firebase-auth-eich0v.pages.dev", "cityoffortwayne.org | detect.cityoffortwayne.org | https://engage.cityoffortwayne.org/", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://sslproxy.gatewayclient3.v.hikops.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "Obfuscation: XOR-based String Encryption (0x20)", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "https://maps.googleapis.com/maps/api/js?sensor=false", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "Researched publicly available information provided by representative of a target\u2019s estate", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "Researched: https://hcpf.colorado.gov/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Domains Contacted: smtp.gmail.com www.google.com", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "podcast.hallco.org hmmm? Who could it be.", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "Attacks are being carried out by The State of Colorado", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org", "https://leg.colorado.gov/bills/hb20 ?", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "colorado.gov", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "millet-usgc-1.palantirfedstart.com", "nr-data.net [Apple Private Data Collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "T1110.001 (Brute Force: Password Guessing)", "Tulach IP: 114.114.114.114", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://passwords.google/?utm_medium=hpp&utm", "ASN AS30170 isomedia inc. DNS Resolutions 1 Domain", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "IDS Detectionsa: Executable Download from dotted-quad Host | Terse alphanumeric executable downloader high likelihood of being hostile", "https://www.google.com/?authuser=0", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://rcmp[.]ca/en/alberta", "record-viewer-application.hcahealthcare.cloud", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "https://utilities.cityoffortwayne.org/wp-content/uploads/2023/05/2023-Biosolids-Info-Sheet.pdf", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]", "System has placed affected on multiple policies cancelling private policy without notice.", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld", "https://clear.ml/infrastructure-control-plane", "spamgateway.advancedstream.net", "smtpha.momentumtelecom.com", "Reverse DNS: advancedstream.net Location: United States of America - Lakewood, Colorado United States of America", "Provided documented evidence of appealed state issued plan and disclosed financials.", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "Alerts: network_ip_exe network_questionable_http_path suricata_alert", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "http://www.leechburg.k12.pa.us/cms/lib09/PA01916522/Centricity/Domain/4/Mr.%20Ritzel%20obituary.pdf", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "https://khmerpornvideo.signup0.y.id/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "cell-0.af-south-1.prod.telemetry.console.api.aws", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "IDS Detections: PE EXE or DLL Windows file download HTTP | SUSPICIOUS Dotted Quad Host MZ Response | Packed Executable Download", "https://mirai-nameko.jp/assets/delighters-js.php", "https://otx.alienvault.com/indicator/file/a909dd4960d4da51de82e4dfff0a5aa60e35da6b2845680716ad832dc1d8b010", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "Alerts: dynamic_function_loading powershell_download powershell_request network_cnc_http network_http", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "howtoworkacrickoutofyourneck2.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Cobalt strike", "Win.dropper.tofsee-10023347-0", "#lowfi:hstr:win32/exprio", "Win32:botx-gen\\ [trj]", "Backdoor:win32/tofsee", "Cve-2017-11882", "Alf:nid:susp_nsis_stub.a", "Trojandownloader:win32/tofsee", "Trojan:win32/fakefolder", "Ddos:linux/gafgyt.ya!mtb", "Trojan:win32/smokeloader.yl", "Backdoor:win32/arwobot.b", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "Win.downloader.small-4507", "Win.trojan.agent-357800", "Alf:heraklezeval:ransom:win32/cve", "Lizar", "Trojandropper:win32/cutwail.gen!k", "Win.trojan.tepfer-61", "#lowfi:suspicioussectionname", "Trojan:win32/blackmon", "Tulach malware", "Nullsoft_nsis", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Trojandownloader:win32/cutwail", "Worm", "Alf:trojan:bat/envvarcharreplacement", "Win32:coinminerx-gen\\ [trj]", "Trojan:win32/eqtonex", "Win.malware.mikey-9949492-0", "Ransom:win32/wannaren.a", "Nids", "Win.trojan.gravityrat-6511862-0", "Ransom:win32/stopcrypt.ak!mtb", "Virtool:win32/obfuscator", "Worm:win32/enosch!atmn", "Rokrat", "Carbanak", "Cycbot", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Win.packed.bandook-9882274-1", "Win32:pwsx-gen\\ [trj]", "Win.malware.tofsee-6958935-0", "Trojandropper:win32/systex.a", "Unix.trojan.tsunami-6981155-0", "#lowfi:hstr:criakl.b1", "Trojan:win32/qbot.r!mtb", "Trojan:win32/meredrop", "Win32:malware-gen", "Mirai (elf)", "Domino", "Trojan:win32/danabot", "Backdoor:linux/demonbot.aa!mtb", "Unix.trojan.gafgyt-6981154-0", "Virtool:win32/vbinject.gen!mh", "#virtool:win32/obfuscator.adb", "Malware family: stealthworker / gobrut", "Trojan:win32/azorult", "Win32:agent-asti\\ [trj]", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Alf:exploit:o97m/cve-2017-8977", "Ransom:win32/crowti.a", "Project nemesis", "Trojan:win32/predator.pvd!mtb" ], "industries": [ "", "Telecommunications", "Civil society", "Networking", "Technology", "Education", "Hospitality", "Government", "Civilian society", "Healthcare", "Construction", "Insurance", "Legal", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af483e0e2ee05752043cd", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:55.844000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af480b45560b4ae78a863", "name": "Mirai \u2022 Cycbot - Who is Dennis Schroeder (303) 444-4444 | Social Engineering ~ Legal", "description": "Mirai \u2022\nCycBot. Hackers connected\nto targets phone intercepting calls. |\nHi Dennis, how the heck are you? Who are you? We connected targets former phone to a lawyer to become familiar with botnet experience. Time spent speaking to several fraudulent people who pretend to be people they are not. \n\nFrom our side: A factual account was given to a professional sounding female phone actor who answered call without giving name of law firm or her own name / title , listened for some time , few screening questions, no one in \u2018 law firm\u2019 didn\u2019t know statutes of limitations.\n\nSad there was never a way for target to contact find legitimate legal representation due to being in multiple botnets. \n Very disturbing. \n\n#colorado_government", "modified": "2025-12-05T06:05:48.164000", "created": "2025-11-05T06:53:52.767000", "tags": [ "url https", "url http", "related pulses", "united", "redacted for", "meta", "accept encoding", "moved", "ip address", "record value", "encrypt", "backdoor", "trojandropper", "passive dns", "mtb oct", "ipv4 add", "urls", "twitter", "trojan", "cycbot", "dynamicloader", "medium", "ms windows", "write", "yara rule", "named pipe", "pe32", "defender", "install", "smartassembly", "malware", "local", "dns query", "xxx adult", "site top", "level domain", "total", "whitelisted", "yara detections", "dyndns domain", "filehash", "av detections", "ids detections", "windows nt", "win64", "khtml", "gecko", "acceptencoding", "as46606", "xserver", "killer gecko", "host", "hello2malware", "cnlocalhost", "dclocal", "guard", "url analysis", "files", "reverse dns", "azerbaijan asn", "asnone related", "destination", "port", "unknown", "et smtp", "message", "united kingdom", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "found", "newremotehost", "newexternalport", "newprotocol", "newinternalport", "helloworld", "nids", "high", "ddos", "hstr", "mtb nov", "ransom", "msie", "chrome", "gmt content", "hostname add", "present jun", "germany unknown", "domain add", "asn as24940", "germany asn", "domain", "files ip", "address", "less", "script urls", "dennis schrder", "a domains", "prox", "aaaa", "present nov", "blog von", "apache", "dennis schroder", "servers", "emails", "dnssec", "as197540", "dns resolutions", "hostname", "verdict", "present", "directui", "element", "classinfobase", "write c", "getclassinfoptr", "sgpauiclassinfo", "file v2", "document", "explorer", "movie", "insert", "mitre att", "ck matrix", "path", "hybrid", "general", "iframe", "click", "strings", "forbidden", "default", "pdf library", "delete c", "https domain", "tls sni", "steals", "format", "for privacy", "name servers", "date", "japan unknown", "entries", "next associated", "gmt etag", "pragma", "body", "accept", "script domains", "gmt cache", "certificate", "alerts", "analysis date", "file score", "present sep", "iemobile", "ok accept", "mirai", "cdn.calltrk.com", "type indicator" ], "references": [ "Redirect from actual firm called - https://coloradoinjurylaw.com/denver-sexual-abuse-lawyer/", "leg.colorado.gov \u2022\tmaps.app.goo.gl", "https://leg.colorado.gov/bills/hb20 ?", "https://mirai-nameko.jp/assets/delighters-js.php", "Government porn: https://thehotporn.info/ \u2022 http://live-sex.space/ \u2022 charoenpornintergroup.com", "https://fr.bongacams10.com/erikasexy1 \u2022 https://www.bigcitycreations.com/s/stories/a-unisex-guide-to-pairing-colors", "colorado.gov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan", "Italy", "Aruba", "Finland", "India", "United Kingdom of Great Britain and Northern Ireland", "Australia", "Hong Kong", "Hungary", "Switzerland", "China", "France", "T\u00fcrkiye", "Canada", "Poland" ], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "Trojan:Win32/Predator.PVD!MTB", "display_name": "Trojan:Win32/Predator.PVD!MTB", "target": "/malware/Trojan:Win32/Predator.PVD!MTB" }, { "id": "Trojandropper:Win32/Cutwail.gen!K", "display_name": "Trojandropper:Win32/Cutwail.gen!K", "target": "/malware/Trojandropper:Win32/Cutwail.gen!K" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Legal", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7782, "domain": 5008, "hostname": 2287, "FileHash-SHA1": 318, "email": 7, "FileHash-SHA256": 1608, "FileHash-MD5": 356, "SSLCertFingerprint": 11, "CVE": 1 }, "indicator_count": 17378, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "xmlns.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "xmlns.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776597475.5289922 }