{ "type": "Domain", "indicator": "z.ch", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/z.ch", "alexa": "http://www.alexa.com/siteinfo/z.ch", "indicator": "z.ch", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3421914887, "indicator": "z.ch", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b83a04606c605361cb6", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "", "modified": "2023-12-06T14:56:03.320000", "created": "2023-12-06T14:56:03.320000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 78, "URL": 346, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6253b49ac7891a2ad1ab0d09", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "Zt, Z.Z.r, is a new-found acronym for the word \"zt\", which means \"targuments\" or \"farg\" in the same place as the original.", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T04:54:50.508000", "tags": [ "ratio", "regexp", "apple iphone", "apple ipad", "apple ipod", "xmlhttprequest", "post", "contenttype", "text", "function", "symbol", "typeof", "null", "macintel", "attention", "please", "vpn app", "install details", "\u2019m", "purevpn: fast", "secure & easy", "purevpn", "productivity", "utilities", "ios apps", "app", "appstore", "app store", "iphone", "ipad", "ipod touch", "itouch", "itunes", "fast", "secure", "easy", "subscription", "requires", "global nav", "alwayson", "audit", "vpn connection", "service", "download", "enjoy", "first", "kill", "rest", "italian", "korean", "vpn - ip changer & security id", "energise inc", "data", "app privacy", "data privacy", "learn", "sans", "woff", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "truetype", "start", "webflow css", "policy", "crowd ab", "university", "log data", "conditions", "third party", "1px1px", "sf ui", "sf pro", "helvetica", "arial", "alpha", "opacity", "icons", "misc", "overlays", "opacity35", "foundation", "layout", "opacity0", "spinner", "android", "object", "string", "number", "window", "date", "promise", "array", "error", "this", "void", "screen", "typeerror", "invalid attempt" ], "references": [ "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://bestfasttrackservices.com/landers/d/player_default1/send.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Australia", "Romania" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "URL": 346, "hostname": 78, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://176.113.115.136/ohhiiiii/", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "appleaustralia.com", "palantir-staging.staging.candidate.app.paulsjob.ai", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "https://bestfasttrackservices.com/landers/d/player_default1/send.js", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "pornhub.com\t \u2022 www.pornhub.com", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tofsee", "Win.packer.pkr_ce1a-9980177-0", "\u2019m", "Apnic", "Muldrop" ], "industries": [ "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b83a04606c605361cb6", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "", "modified": "2023-12-06T14:56:03.320000", "created": "2023-12-06T14:56:03.320000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 78, "URL": 346, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6253b49ac7891a2ad1ab0d09", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "Zt, Z.Z.r, is a new-found acronym for the word \"zt\", which means \"targuments\" or \"farg\" in the same place as the original.", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T04:54:50.508000", "tags": [ "ratio", "regexp", "apple iphone", "apple ipad", "apple ipod", "xmlhttprequest", "post", "contenttype", "text", "function", "symbol", "typeof", "null", "macintel", "attention", "please", "vpn app", "install details", "\u2019m", "purevpn: fast", "secure & easy", "purevpn", "productivity", "utilities", "ios apps", "app", "appstore", "app store", "iphone", "ipad", "ipod touch", "itouch", "itunes", "fast", "secure", "easy", "subscription", "requires", "global nav", "alwayson", "audit", "vpn connection", "service", "download", "enjoy", "first", "kill", "rest", "italian", "korean", "vpn - ip changer & security id", "energise inc", "data", "app privacy", "data privacy", "learn", "sans", "woff", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "truetype", "start", "webflow css", "policy", "crowd ab", "university", "log data", "conditions", "third party", "1px1px", "sf ui", "sf pro", "helvetica", "arial", "alpha", "opacity", "icons", "misc", "overlays", "opacity35", "foundation", "layout", "opacity0", "spinner", "android", "object", "string", "number", "window", "date", "promise", "array", "error", "this", "void", "screen", "typeerror", "invalid attempt" ], "references": [ "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://bestfasttrackservices.com/landers/d/player_default1/send.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Australia", "Romania" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "URL": 346, "hostname": 78, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "z.ch", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "z.ch", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780238418.5631697 }