SHA256MediumSignal 98/100

`0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5`

Location

Indonesia

First Seen

May 5, 2021

Last Seen

May 21, 2026

May 5

First Seen

1862d ago

May 21

Last Seen

20d ago

Reports

source reports

98%

Confidence

medium

Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

98%

Signal Score

98 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

63 techniques

Feed Intelligence Summary

8 reports98% confidence

Source reports

98%

Confidence score

Category tags

a serviceabcdabuse cnniccnacceptaccessaccess controlaccountacidrainacintactive scanactive scanningad environmentad groupadaptivebeeadfindadloadadministratoradwareaerospace & defenseaes keyafghanistanafricaagentahnlabai securityaitbalbaniaalbanianalexalexaalexa topaliveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingapnic countryapnic netnameapnic personappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisasciiascii textascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraauthenticationautoitautomotive manufacturingav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbankbank securitybasebase64base85basecampbasic rsabatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeach researchbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbehavbeijingbeijing abusecbeijing countrybelarusbelgiumbelowbeyondbitcoinbitsblackbyteblackbytentblackbytenthblackcatblacklist httpblacklist httpsblackshadesblisterbloat-ablobblue cloudbluecloud descrbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybreachbridgebrontokbrowserbrute forcebubblebughatchbuildbumblebee c2bumblebee dllbundledbyovdbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertcert polskachachachamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatcisco umbrellacivil servicesck techniqueck techniquesclassclassloadercleanercleanupclickclick-based attackclosecloudcn cacn continentcn phonecnc servercnniccnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode executioncode injectioncode integrity bypasscoinminercolor1cometcommandcommand & controlcommand and controlcommand executioncommentcommercial bankingcommunication protocolcommunications networkscompilecomspecconceptconduitconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcontrol servercookiecookie valuecopycorecore impactcortex xdrcountrycovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcritical infrastructurecrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecus cndigicertcustomerloadercvsscybercyber actorscyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsdapatodarkdark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata accessdata centerdata copyingdata encryptiondata exfiltrationdata riskdata store exposuredata transferdatopdatoploaderdaveshelldbutil_2_3.sysdc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefraydefray777dell dbutildelphidemodenial of servicedenis legezodesktopdetectdetection listdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdiplomatic orbiterdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdll-sideloadingdllentry ratdllsdnc hackdnc networkdns attackdnspionagedoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownerdownldrdownloaderdownragedpiawaredreamdridexdriverdriver exploitdriver exploitationdropboxdropbox loaderdroppeddropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelectronic health recordselectronics manufacturingelfeliteemergency servicesemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenergy systemsenglishenjoyenterprise securityenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploitet toreuropeeurope/asiaevil corpexbyteexcelexeexecutable fileexfiltrationexitexitendififexotic lilyexpert perspectiveexploitexploitation activityexploits & vulnerabilitiesexport functionextortionfailfakedout threatfalconfalcon completefalcon sandboxfalsefareitfastfeaturefeelfeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefileobjfilerepmalwarefilesfillerfin7finalfinancefinancial institutionfinancial servicesfinancial systemsfindfinspyfireeyefireholfirstfirst detectionfishmasterfivehandsflexfloxiffooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpftpfunctionfusioncoreg o2g2 odigicertgap analysisgasgategate variantgaussgdrv.sysgeckogenericgeneric malwaregeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgovernment facilitiesgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhasheshatching triagehavocheaderheadlineshealth care and social assistancehealth information technologyhealthcare information systemshellhellohello packethellokittyheurhidden cobrahidehidedrvhighesthikithillhistoricalhistorical sslhivehoneymytehong konghookhookshospital managementhosthta filehtmlhtml filehtml internethtml objecthttphttp attackhttp c2http gethttp methodhttp posthttp scannerhttp traffichttpshttps traffichumanhuntershwinithlwhybridhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationidleiframeigosiis workeriit appil fileil messaggioimages evidenceimpactimportinc ransominc ransomwareinc validityincident responseindia-chinaindicatorindonesiaindustrial automationindustrial iotindustrial productionindustries/all industriesinfectionidinfoinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinitial contactinjectinjection activityinjectorinstallintelintro contiinvalid-signatureinvestigation servicesinvestigationsiobitioc510iocindicatoriocsiot securityipcountipv4isitemiso fileiso filesystemiso imageissuer cusissuer orgit infrastructureitaliaitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejsonjson objectjssloaderkarakurtkaspersky icskazakhstankazuarkernelkernel exploitationkernel memorykerrdown samplekeygenkeyplugkhalesikhtmlknightknown torkoadickoreankportscankronoslabel shanghailand driverslaterlateral movementlatinlazagnelazaruslearnlearn morelegallegezolegitlemon duckleviathanlifelightlimelinelinodelinuxlinux systemliu registrantlivinglnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogin attacklogmeinlokibotlolbinslooklovelowfilpwstr lpbufferlsasslsass memorylsass processltd descrltd regionalltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagia dokumentmagicmagika htmlmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious activitymalicious downloadmalicious filemalicious linksmalicious powershell activitymalicious sitemalicious softwaremalspammalwaremalware descriptionsmalware distributionmalware sitemalware technologiesmalware/blackbytemalwarebazaarmanagemanaged xdrmanufacturing technologymarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedicalmedical servicesmedremeetingmegamemscanmespinozametametadata analysismetasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmilitary operationsmillionmindminermisc attackmitre attmmm dmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomost maliciousmotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynational securitynativenativezonenbtscanncscnebulaneitherneshtanetbiosnetherlandsnetscannetspynetsupport ratnetwalkernetwirenetworknetwork attacksnetwork forensicsnetwork intrusionnetwork protocolnetwork scanningnetwork securitynevernewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernircmdnltestnobeliumnode trafficnomenonamenorth americansantdsntlmntlm hashnumbero2 o2occamyocean lotusoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperating systemoperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoshanghai blueoveroverlayownerp4bnzr0palo altopandaparent parentpartpasspassword attackpatchpatch managementpatcherpathpatient carepattern matchpawn stormpayloadpayloadbinpcappdf documentpe headerpeexeperuphasephishingphishing attackphishing sitephotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpodcastpoisonpolicepolishponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepremiumpress enterprimary threatpriorprivacyprivilege escalationprocess hackerprocess injectionprocess manufacturingprofessional servicesprojector libraprophetprophet spiderprotectprotocol exploitationprotocol-deviproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquality controlquasarquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomrandom nameransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferrefreshregszregulatory agenciesregwriterelatedtoremcomremcosratremote accessremote servicesremoverenamereportreportsrequestresearchresearchedrestartreturn addressrevilrevilcontirevoked-certritaroadrobinhoodrollcoastrootrootkitrozenarozmiarrtcore64.sysrubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafe sitesafetykatzsagesalitysamplessandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptscripting attacksscrollseadukeseatbeltsecrisksecurexsecurity bypasssecurity groupssecurity policysekhmetsekurselectseraphserbiaserverserver helloserviceservice enumerationservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasershanghai bluesharpkatzshathakshellshellcodeshowshownshutsiblings parentsignsignedsigned driver abusesilentsilent breaksilent trinitysilentbreaksitesizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocial media securitysocssodinokibisofacysoftethersoftware developmentsoftware exploitationsoftware vulnerabilitiessolarstormsolarwindssomniasourceimagesouth africasouth americaspamspansparklinggoblinsparkratspawnspear phishingspearphishingspeedsphwspidersprite spiderspyeyessh attackssl certificatessl sniffersslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlestixstoneboatstopstopransomwarestormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksupply chain managementsvchostsvr cyberswedishswiftswrortsys filesyscallsysdigsysmonsystem disruptionsystembcsyswhispers2szdrft1003t1005t1016t1018t1021t1021.001t1021.002t1021.006t1027t1030t1040t1053.005t1055t1057t1059t1059.001t1059.004t1068t1069.001t1071t1071.001t1076t1077t1078t1083t1086t1105t1110t1110.001t1110.002t1140t1190t1203t1204.001t1204.002t1211t1213t1213.001t1218.003t1486t1490t1496t1499.001t1499.002t1499.003t1530t1547.001t1562t1562.001t1563t1565t1566t1566.001t1566.002t1566.003t1569.002t1574.001t1587.001t1590.001t1595t1595.001t1595.002t1595.003ta471ta551ta578ta800tabelatalostalos irtargettargeted attackstargetimagetask managertcp porttcp protocolteamteam proxyteamt5teamt5 teamt5techtechnical servicestelecomtelecommunicationstelnet threattemptempesttencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat preventionthreat researchthreat responsethreat spotlightthreat typethreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktiggretinbatipstitletitle idtldstls clienttls servertoolstop storytor directorytor nodetotvstouchtoy guystracingtrackertransferxl urltransferxl urlstransportation networkstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertriid pliktrinidad and tobagotrinitytrojantrojan malwaretrojanspytrojanxtrumptrustttpsturkishturlatvrattwittertycoontypetypeof windowuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunionunitunitedunruyunsafeunsigned driverunusual portupdated dateurisurlcampourlsurls httpurlshxxpursnifuse sectionuser executionuserpcnameuuid variantuuidsuwagav3 serialvanilla tempestvaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptverdictverifyvhashvice societyvidarvietnamviewvincssvision onevmwarevmware commandvmware esxivmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevulnvulnerabilityvulnerability scanvulnerablevulnerable driver exploitationw32.bloat-awacatacwaf rulewannacrywannacryptorwater systemswdigestweb application attackweb securityweb trafficwebdavweblogic accesswebshellwhaszwherewhoiswhois lookupwhois lookupswhois recordwhois sslwin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxratxss attackxtratxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez bardzoz85 ascii85z85 httpszbotzenpakzeuszip filezloaderzpevdozscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs

May 21May 21

Threat Activity Heatmap

· Peak: 2026-05-21

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Intelligence SummaryAI Generated

This Indicator of Compromise (IOC) is a highly significant and critical threat that demands immediate attention. With an exceptionally high score of 98.339 and no whitelist status, this SHA-256 hash is strongly associated with sophisticated malicious activities. These activities include various ransomware groups and Advanced Persistent Threat (APT) actors like Lazarus Group, Fancy Bear, and Cozy Bear. Its presence in an environment suggests a severe compromise, potentially leading to widespread …

Threat ScoreHigh Risk

SIGNAL

Signal Score

98%

Confidence

Reports

First seenMay 5, 2021

Last seenMay 21, 2026

VirusTotal

Not checked

WHOIS

description: PE32+ executable (native) x86-64, for MS Windows
references: https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a, Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 "Broken Seal" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions., Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91), Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare’s transit layer for resilience and to reduce direct exposure of origin infrastructure., Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 "Fail-Closed" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure, Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 → high (suggests packing/encryption), .reloc 6.66 → possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess, Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem., MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's "Broken Seal" exploit bypasses., As of Feb 13 (early AM) — Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13), Verification failure observed in automated verification handlers during sandbox replay., The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls—including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation—are implemented to validate a high-interaction user environment prior to execution., Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal., Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171., SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138., SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff — Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload)., nationalgrid.com — Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level., eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade., Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat, The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30–.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr, https://loldrivers.io/, https://www.loldrivers.io/js/chart.min.js, https://www.loldrivers.io/js/bundle.7cd1a644ff4540d19bfa43f193df74afce746a0213920f45d73bf720542f682d81b6ad0320242744d332512cfb63eac5790fab1a240d6e6c8cb89f25fcacfbd7.js, https://www.loldrivers.io/favicons/browserconfig.xml, https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/Drivers/loldrivers_only_hashes_list.csv, https://github.com/wavestone-cdt/EDRSandblast, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a, https://cybersecsentinel.com/vanilla-tempest-unleashes-inc-ransomware-on-hospitals/, https://www.mycert.org.my/portal/advisory?id=MA-1138.092024, https://www.loldrivers.io/, https://www.cisa.gov/sites/default/files/2023-12/aa23-347a-russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally.pdf, https://labs.inquest.net/iocdb, https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/, https://www.loldrivers.io/api/drivers.json

`0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy