{ "type": "Domain", "indicator": "zulily78.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zulily78.com", "alexa": "http://www.alexa.com/siteinfo/zulily78.com", "indicator": "zulily78.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3809632861, "indicator": "zulily78.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658a2b6cfdcfeec5db5f31a1", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:00.119000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658a2b70d4e5f1b1267a5a45", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:04.914000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca31a0720e83e8630677d", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]", "description": "", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-27T22:20:10.878000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "Crowdsourced YARA Rulesets", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.apple.com/qtactivex/qtplugin.cab", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "143.244.50.213 |169.150.249.162 [malware_hosting]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "nr-data.net [Apple Private Data Collection]", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "http://dns1.whitelist.camect.com [interesting]", "https://pin.it/ [faux Pinterest for TB]", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "194.245.148.189 [CnC]", "xred.mooo.com [pornhub trojan]", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "http://www.screensaver.com/ruxitbeacon", "location-icloud.com", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "https://www.jbits.courts.state.co [interesting]", "20.190.160.67 Microsoft [exploit_source]", "http://114.114.114.114/ipw.ps1", "http://www.sos.state.co/ [interesting]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://stackabuse.com/assets/images/apple", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "20.190.160.2 Microsoft [exploit_source]", "114.114.114.114 [ Tulach Malware IP]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://watchhers.net/index.php [malware spreader]", "watson.telemetry.microsoft.us [Data traffic manager]", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "https://twitter.com/sheriffspurlock?lang=en", "watson.events.data.microsoft.com [traffic manager]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "20.190.160.73 Microsoft [exploit_source]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://109.206.241.129/666bins/666.mpsl", "www.anyxxxtube.net [tracking]", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tofsee", "Quasar rat", "Malware", "Relic", "Hacktool", "Tulach", "Comspec", "Apple" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69b2730aa46a25d7949daa8d", "name": "apple retail dnspionage clone octoseek", "description": "", "modified": "2026-04-11T00:03:57.096000", "created": "2026-03-12T08:02:18.609000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658a2b6cfdcfeec5db5f31a1", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:00.119000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658a2b70d4e5f1b1267a5a45", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process Writes", "description": "It's best to update, transfer data, and activate device over safe, trusted, private internet. Bot Networks and DNS Espionage positive. Very malicious with ability to compromise every network as compromised device logs into spreading an incredibly large, very malicious ongoing cyber \nwarfare attack. Command and control server.", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-26T01:25:04.914000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca31a0720e83e8630677d", "name": "Apple Retail: DNSpionage | CNC Server| Injection | Remote Process [OctoSeek]", "description": "", "modified": "2024-01-25T01:03:33.919000", "created": "2023-12-27T22:20:10.878000", "tags": [ "Ghost RAT", "WebToolbar", "Nanocore RAT", "GameHack", "Cobalt Strike", "RedlineStealer", "HallGrand", "InstallCore", "InstallBrain", "Emotet", "Tofsee", "InMortal", "Bradesco", "Agent Tesla", "Mitre", "Pyscpa", "TrojanSpy", "SuppoBox", "Occamy", "DNSPIONAGE", "Stealer", "Password", "Apple", "Retail", "Cherry Creek Colorado", "Bot Networks", "Ghost RAT", "Networm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "658a2b6cfdcfeec5db5f31a1", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7996, "FileHash-SHA1": 3921, "FileHash-SHA256": 5341, "hostname": 2108, "domain": 1005, "URL": 5635, "CIDR": 2, "CVE": 21, "email": 28 }, "indicator_count": 26057, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zulily78.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zulily78.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780350016.148729 }