{ "type": "Domain", "indicator": "yellowtree.foo", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/yellowtree.foo", "alexa": "http://www.alexa.com/siteinfo/yellowtree.foo", "indicator": "yellowtree.foo", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4191877162, "indicator": "yellowtree.foo", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "URLSpirit Spyware", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Pegasus Indicators deleted during pulse", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage.", "quecompegasune.tk \u2022 hipicapegaso.com", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "Incredibly false information, white screens , pink screens and chat erasure", "Antivirus Detections: Win.Trojan.Agent-1190546", "Definitely requires further research", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Urlspirit", "Cypher", "Spynote", "Hybrid trojan spy and banker", "Spymax" ], "industries": [ "Education", "Telecommunications", "Government", "Legal", "Defense", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "yellowtree.foo", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "yellowtree.foo", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780224630.8786373 }