{ "type": "Domain", "indicator": "z.mn", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/z.mn", "alexa": "http://www.alexa.com/siteinfo/z.mn", "indicator": "z.mn", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3421914839, "indicator": "z.mn", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b83a04606c605361cb6", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "", "modified": "2023-12-06T14:56:03.320000", "created": "2023-12-06T14:56:03.320000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 78, "URL": 346, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6253b49ac7891a2ad1ab0d09", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "Zt, Z.Z.r, is a new-found acronym for the word \"zt\", which means \"targuments\" or \"farg\" in the same place as the original.", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T04:54:50.508000", "tags": [ "ratio", "regexp", "apple iphone", "apple ipad", "apple ipod", "xmlhttprequest", "post", "contenttype", "text", "function", "symbol", "typeof", "null", "macintel", "attention", "please", "vpn app", "install details", "\u2019m", "purevpn: fast", "secure & easy", "purevpn", "productivity", "utilities", "ios apps", "app", "appstore", "app store", "iphone", "ipad", "ipod touch", "itouch", "itunes", "fast", "secure", "easy", "subscription", "requires", "global nav", "alwayson", "audit", "vpn connection", "service", "download", "enjoy", "first", "kill", "rest", "italian", "korean", "vpn - ip changer & security id", "energise inc", "data", "app privacy", "data privacy", "learn", "sans", "woff", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "truetype", "start", "webflow css", "policy", "crowd ab", "university", "log data", "conditions", "third party", "1px1px", "sf ui", "sf pro", "helvetica", "arial", "alpha", "opacity", "icons", "misc", "overlays", "opacity35", "foundation", "layout", "opacity0", "spinner", "android", "object", "string", "number", "window", "date", "promise", "array", "error", "this", "void", "screen", "typeerror", "invalid attempt" ], "references": [ "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://bestfasttrackservices.com/landers/d/player_default1/send.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Australia", "Romania" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "URL": 346, "hostname": 78, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Multiple other undocumented malware", "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://bestfasttrackservices.com/landers/d/player_default1/send.js", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Hoc Working" ], "malware_families": [ ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "!#lowfiwritemzinunusualextension", "Pws:win32/ymacco.aa50", "Alf:heraklezeval:trojan:win32/salgorea!rfn", "\"prepending (enc) ransomware\" (not an official name)", "\u2019m", "Cve-2023-27997", "Trojan:win32/qqpass", "!#addscopytostartup", "Cve-2025-42957" ], "industries": [ "Critical infrastructure", "Manufacturing", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b83a04606c605361cb6", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "", "modified": "2023-12-06T14:56:03.320000", "created": "2023-12-06T14:56:03.320000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "hostname": 78, "URL": 346, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6253b49ac7891a2ad1ab0d09", "name": "Nearly ALL App Store VPNs are a huge vulnerability", "description": "Zt, Z.Z.r, is a new-found acronym for the word \"zt\", which means \"targuments\" or \"farg\" in the same place as the original.", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T04:54:50.508000", "tags": [ "ratio", "regexp", "apple iphone", "apple ipad", "apple ipod", "xmlhttprequest", "post", "contenttype", "text", "function", "symbol", "typeof", "null", "macintel", "attention", "please", "vpn app", "install details", "\u2019m", "purevpn: fast", "secure & easy", "purevpn", "productivity", "utilities", "ios apps", "app", "appstore", "app store", "iphone", "ipad", "ipod touch", "itouch", "itunes", "fast", "secure", "easy", "subscription", "requires", "global nav", "alwayson", "audit", "vpn connection", "service", "download", "enjoy", "first", "kill", "rest", "italian", "korean", "vpn - ip changer & security id", "energise inc", "data", "app privacy", "data privacy", "learn", "sans", "woff", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "truetype", "start", "webflow css", "policy", "crowd ab", "university", "log data", "conditions", "third party", "1px1px", "sf ui", "sf pro", "helvetica", "arial", "alpha", "opacity", "icons", "misc", "overlays", "opacity35", "foundation", "layout", "opacity0", "spinner", "android", "object", "string", "number", "window", "date", "promise", "array", "error", "this", "void", "screen", "typeerror", "invalid attempt" ], "references": [ "xfe-URL-dk9ctyhidjrvgn.xyz-stix2-2.1-export.json", "https://unphionetor.com/fv.js?t=56193&cb=200694599", "https://ptauxofi.net/pfe/current/micro.tag.min.js?sw=/sw-check-permissions/3683319&var=iUnZZblURYgnN6e&z=3683319", "https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.css", "https://littlecdn.com/apps/templates/video/ytube-player-system-message/css/style.css?v=1.0", "https://saumeechoa.com/?track=aHR0cHM6Ly90cmFja2luZy51bml2ZXJzZXZwbi51cy9jbGljaz9waWQ9NjcxNSZvZmZlcl9pZD0yMTI3NDYmc3ViMT01MzcyMzcxNDM4NjU4ODkwNzImc3ViMj0yNjI3MzI1&meta-id=Nzc0OTkw&brandSafe=0&rsz=2627325&cd_meta_crid=25922&meta-tracking-id=17537694&s=537237143865889072&z=2627325&b=12554414&g=US&svar=1649650835&ssk=bcc25276d94a6fa37bb24c13fd15de7a&oaid=42988e84a84a44628299d1d3d4b64ca7&did=4&campid=5453729", "https://univvpn.page.link/jdF1?utm_medium=paid%20advertising&_branch_referrer=H4sIAAAAAAAAAx3Juw6DIBQA0K%2Bxo8JFQJqQTh2bdOtILo%2BqEZEIDvbrm3Y9Z6o1l2vXxRGGscWc2zinpZPn5yle%2BTEme2ugZ1mjcUep22oooUICp0woNfAegKtLI%2B8luC153E%2BTDxvnMoVdC0n573JEF9aQqgYBksEf0ZvZawGcYaBqcG%2BhLCGEoreesS%2BPLJI5mAAAAA%3D%3D&%243p=a_custom_1016725136998542259&~secondary_publisher=6715&~placement=2627325&~ad_id=6253ae198cf69b0001adbd33&_branch_match_id=1041559436699840584", "https://locationvpn.info/landers/swvpn/p25f_prop/styles.css", "https://fonts.googleapis.com/css?family=Open+Sans:700,300", "https://easyvpn.app.link/Hsj5csEsrob?%243p=a_custom_1032593427266339085&~click_id=b4f8buqlp9zvrbed&~trafficsource=propellerads&~externalid=537238981268836734&~camp=92&~channel=propellerads&~campaign_id=92&~campaign=92", "https://cdrvrs.com/4/1008180?var=2627325&rsz=2627325", "https://app.adjust.com/jt7cgc7?campaign=4969955&adgroup=1008180&creative=12542008&redirect_windows=https://billing.purevpn.com/aff.php?aff=45706&chan=propeller&event_callback_bs7gvg=http%3A%2F%2Fad.propellerads.com%2Fconversion.php%3Faid%3D3414548%26pid%3D%26tid%3D84891%26visitor_id%3D537239929124823177%26payout%3D$%7BPAYOUT%7D%26zoneid%3D$4969955", "https://bestfasttrackservices.com/landers/d/player_default1/?&domain=besttvllc.com&uclick=g6bg8rsc6o&uclickhash=g6bg8rsc6o-g6bg8rsc6o-gha4-0-xra3-4kghfe-4kirbl-015263", "https://bestfasttrackservices.com/landers/d/player_default1/current-device.min.js", "https://bestfasttrackservices.com/landers/d/player_default1/send.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Australia", "Romania" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 267, "URL": 346, "hostname": 78, "FileHash-SHA256": 79, "email": 4 }, "indicator_count": 774, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "z.mn", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "z.mn", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780221565.73935 }