SHA256HighVerifiedSignal 68/100
5e9c35050b2dc101b7f0d2f69c38b91679bdf9feed8da09c31c0d805d1ec9786
Location
Hong KongFirst Seen
Mar 14, 2024
Last Seen
Jan 31, 2026
Found in 4 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
68%
Signal Score
68 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
4 reports68% confidence
4
Source reports
68%
Confidence score
Category tags
.cc domaina h2aaaaabuseabuse contactacceptaccess contactaccess ta0006account compromiseaccount discoveryaccount manipulationaccount profilingaccount securityaccount takeoveracintactive relatedactive scanningactivity miraiad soyadadded activeaddressaddress virtualadmin cityafricanagentagent teslaakamaialertsalexa topall scoreblueall searchallocates_execute_remote_processallocates_rwxamazonamazonawsamericaamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002analytics naanalyzer threatanchor hrefsapacheappdata localappleapple iosapplication developmentaptapt grouparizona createartemisascii textasiaasnone unitedatlantaattattackaustraliaav detectionsavailable fromazure tlsbackdoorbaidubehavberbewbingbizrblack bastablack-bastablacklist httpbodybody doctypebotnetbotnet activitybounce exchangebrand abusebrian sabeyc++c0002 wininetc2 communicationcab chromecache entrycalls-wmicamaro dragoncanadacapecapturecaretocat ozerosslcatalog treecentrum usugcevabchannelcheckinchina as37963chrome ucioch adriancisco umbrellacitycivilcivil servicescjutxgck idck idsck matrixclasscleanerclick-based attackcloudfrontcnamazon rsacnamecnccnmicrosoft ecccnzerossl rsacode executioncode injectioncoinminercom laudecommandcommand and controlcommand decodecommand executioncommunication protocolcommunication technologiescommunity scoreconduitconfigcontactcontentcontent lengthcontent typecontrol ta0011copy md5copy sha1copy sha256corecorporationcountrycountry namecountry unitedcovacova cryptbotcreation datecredential abusecredential accesscredential harvestingcredential theftcrimecrlf linecrowdsourced rulecry deecryptbotcsc corporatecus subjectcyber defensedark web mentiondarkgatedatadata accessdata copyingdata deletiondata encryptiondata exfiltrationdata leakagedata oc0004data redacteddata theftdata transferdata uploaddays agoddosddos attacksdeep malwaredefault pagedefense evasiondefense-evasiondeletedelete cdelphidenial of servicedenmarkdenverdestination unreachabledetections filedetections typedevamdevelopment attdevelopment methodologiesdevopsdf bitdicator roledigital signaturedisable_duckdistributed attacksdistribution managementdllsdnsdockdocument filedoesdorkbotdownldrdownloaderdridexdrive-by compromisedroppeddropperdumped_bufferdumped_buffer2dumping t1003duration cuckoodynamicloadereburyechobotechobot malwareedgeelementelf binaryelf executableelf infoelf64 dataelseemojiemotetencryptencrypted connectionsendgameenglishenterenter soenterprise securityentriesenumerateserrorerror httpsetagetag weu cyber policieseuropeeurope/asiaevasion ta0005excelexcel microsoftexchange metaexchange ogexecexecutable fileexfiltrationexpiration dateexpiry dateexploitexploitationextensionsexternal-resourcesextortionextracextracted filesfa c7failefailedfalsefastlyfastly errorfatal errorfile-hashfilesfiles cfiles ipfiles locationfiles referringfilesgoogle cfingerprintfirmware infectionfirmware modificationfirstfirst pqcflagsfloxiffloxif.afolderfollow bot activityfont formatfor privacyforbidden accessforbidden smallformbook stealerfragmentation attackfreight forwardingfri marfromfunctiongandi sasgeckogenericgeneric malwaregermanyget helloget httpget httpsget nagiftsgizli soruglobalcgmbhgmtngooglegoogle llcgoogle taggooglechrome ugootloadergovernment technologygraphgraph summarygreen wellgtmkvjvztk dlgvenlik iingvenlik sorusugzipgzip chromehacker knownhackershandlehasheshashes capeheader classheader versionhellohelp filesheurheuristic octhidden privacyhighhighly targetedhistorical sslhong konghostinghostname addhostname enumerationhour agohours agohtmlhtml documenthtml internethtml smugglinghtml titlehtml_smugglinghttp attackhttp gethttp scannerhttps httphubspothybridiana registraricator roleicmpids detectionsiframeiframe tagsiframesimageimpact ta0040impacting azureinboundincluded iocsindex exchangeindiaindicatorindicators honginfo sectionsinfo ta0011information gatheringinformation stealinginformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjectioninjection t1055injection_createremotethreadinjection_modifies_memoryinjection_ntsetcontextthreadinjection_resumethreadinjection_runpeinjection_write_memoryinjection_write_memory_exeinjectorinput validation bypassinsertinsight taginstallintelintelligence agency surveillanceinternal imageinternet of thingsinvalid pointerinventory managementinvolved directinvolved dnsiobitiocsiosios malwareiot botnetiot/ics attackipnnoysrdi tripv4ipv4 addipv4 internetircirelandispissuing cait infrastructureitalyja3sjapanjapan unknownjavajaws webserverjoshjustk dcomlaunchkarenkey algorithmkey identifierkey infokhtmlkonglaw enforcement surveillancelayer protocollazaruslazarus grouplearnlearn morelevelblue openlibretv metalinklinkslinuxlinux malwareliveramplocalloccel1log idlogistics technologylookupsloopia abltd dbaltfen birm03 oamazonmacmachine labelmacrosmagic elfmagic htmlmagic msdosmail spammermainmalaysiamalicious activitymalicious domainmalicious linksmalicious powershell activitymalicious sitemalicious softwaremaltiverse qratmalwaremalware campaignmalware familymalware genericmalware signingmalware trafficmalware: hilotimalware: mufanommalwarebazaarmanagermarkmonitormarkmonitor incmarkusmatch infomatch lowmazemedia centermediummemory patternmetadata analysismetromicrosoft rootmicrosoft stuffmillionminerminutes agomirai botnetmirai variantmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobile spywaremodifies_proxy_wpadmodule loadmodulesmonth agomovedmoviemsiemsilmteri numarasmtu denialmufanommufanom attmutexesmutexes nothingmvpower dvrn haydennamename domainname microsoftname responsename serversname tacticsname unknownname virtualnciipcneedednetherlandsnetsupport ratnetwork anomalynetwork capturenetwork communicationnetwork droppednetwork intrusionnetwork probingnetwork scannetwork scanningnetwork trafficnetwork_httpnetwork_ircnew relicnextnext associatednextronnexus categorynidsnids_alertnids_malware_alertno datano problemsnobitsnolookup_communicationnorth americanortonnothingnsonso groupnull targetnumberob0007 impactob0012 fileoc0006 httpoceaniaocspodigicert incofficeoffice openoffset sizeok serveromicrosoft copen packagingopen threatopen threat exchangeoperating systemoperating system securityor filehashor requesturlorsamos credentialotxotx scoreblueoutbound trafficpackingpandaparagonpartrupassive dnspatch managementpath mtu discoverypath traversalpattern matchpdfpdf exploitpdf zestawype resourcepe32 executablepegasuspeopleperforms dnspersistence_autorunphishphishingphishing attackphishing sitephishingb64php exploitationpixelpleasepleskplesk aponyportpossible data breachpost httpspostal codepragmapresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent novpresent octpresent sepprocessprocess injectionprocess oc0003processes treeproduct developmentprotocol t1071protocol t1095proxypublic administrationpublic infrastructurepublic policypulse indicatorpulse pulsespulse submitpulsespulses hostnamepulses urlpurpose p1quality assurancequeryquery timeramnitransomransomwarerd suiterdap databaseread creconnaissancerecord typerecord valuered teamredacted forredlineredline stealerredline stealer infectionrefloadapihashregional securityregistrant nameregszregulatory agenciesrelatedrelated nidsrelated pulsesremote accessremote access trojanremote servicesreply uniquereport spamreports vrequestresearchedresolved ipsreverse dnsreview iocsriskrobotorole titlerostpayrothroundrun keysruntime modulesrussiarussian governmentsabey stashsafe sitesameorigin agesamsungsandboxscanscan endpointsscaryscriptscript domainsscript tagsscript urlsscripting attacksscriptsse sharesea psearchsearch otxsecure serversecurity operationssecurity scansegoe uiserver caserversserviceservice ipshellshell commandsshell uceshipping servicesshitshowshowingsimple securesingaporesitesite casizesize entropysize rawskynetslcc2smssms exploitsneaky serversnisocial engineeringsocial media attacksocial media manipulationsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware integritysoftware testingsoftware vulnerabilitiessonysouth koreasovaspanspan tdspawnsspeakez securusssdeepssl certificatestartupstatestate-promovedstate-sponsoredstatusstealerstopstringsstrtabstwa lredmondsubjectsubject keysubject publicsuggested iocssummarysupply chain attacksupply chain managementswitch dnsswrortsystem disruptionsystem oc0001sysvt1001t1003t1003.001t1003.004t1005t1011t1012t1016t1018t1019t1021t1021.001t1021.006t1022t1027t1030t1031t1036t1037.003t1040t1041t1045t1053t1055t1055.001t1056t1057t1059t1059.001t1059.004t1059.007t1060t1062t1064t1068t1069t1069.001t1070t1071t1071.001t1071.004t1076t1078t1078.004t1081t1082t1083t1084t1086t1088t1089t1094t1095t1105t1112t1113t1114t1114.002t1119t1129t1130t1132t1133t1140t1143t1185t1189t1190t1192t1193t1195t1199t1202t1203t1204t1204.001t1204.002t1210t1211t1212t1218.001t1480t1485t1486t1490t1495t1496t1498t1499t1499.002t1499.003t1505t1525t1543t1547t1553t1553.003t1553.004t1554.001t1554.003t1555t1557t1562t1563.002t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1571t1571 encryptedt1573t1573 malwaret1583t1583.001t1583.005t1587.001t1587.003t1588t1588.002t1589t1589.001t1590.001t1595t1595.001t1595.002t1595.003t1596.001t1596.004t1598t1602.001t1602.002ta0004 defenseta0004 processta0009 commandtag counttag managertags twittertaobao networktaskjobteadstechnical citytechnical statetelecom servicestelecommunicationstelustempetempe admintempe technicaltexttext chrometext/htmlthreat actorthreat exchangethreat intelligencethreat networkthreat roundupthreatstiggretitletitle addedtitle errortlstls webtoolstraffic maskingtransportation managementtreetrid dostrid elftrid filetrojan downloadertrojan downloader check-introjan malwaretrojandroppertrojanspytrojanxtsara brashearsttl atwittertypetype addresstype datatype indicatortype rtrcdatatypes oftyposquattingudp connectionsunauthorizedunitedunited kingdomunited statesunixunknown nsupdate secureupdaterupx compressionurlsurls showus bundleduseruser executionuser merkdutc gcfezl5ynvbutc googleutc linkedinv objectv2 documentv3 serialvalid fromvaluevaryvaultverisign timeversion filevhashvietnamvietnam unknownvirtoolwacatacwarehouse operationsweb application exploitationweb exploitationweb openweb securityweb spoofingweb trafficwebpageweek agoweeks agowelcomewhoiswhois lookupwhois recordwin32 exewin32 malwarewin32sfone julwindowwindows malwarewindows modulewindows ntwininet c0005wirewixwoff chromewormwritewrite cwritten cx msedgex00x00nx509v3 keyxlsx microsoftxml documentxml eburyxml formatxml pakietuxml spreadsheetxportyara detectionsyara rulezenboxzero-day exploitzerosslzerossl rsazombie
Activity Timeline
Jan 31Jan 31
Threat Activity Heatmap
· Peak: 2026-01-31LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreMedium Risk
68
SIGNAL
Signal Score
68%
Confidence
4
Reports
First seenMar 14, 2024
Last seenJan 31, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- Operation Endgame 2: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or Mirai (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
- references
- Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e, https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html, api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1, Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc, Apple: emails.redvue.com, apple-dns.net, nr-data.net, IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0), IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin, DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84, DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82, Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported, Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated, Malware Behavior: Command and Control OB0004 C2 Communication B0030, Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001, https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles., Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com, Ebury Botnet: alt14.gstatic.com, alt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com cofr.jquery.com, Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com, Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com , brand.jquery.com, brandon.jquery.com, calendar.jquery.com, Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com, Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it encrypted-tbn3.gstatic.com, jquery.com www.code.jquery.com, api.jquery.com ,blog.jquery.com, bugs.jquery.com ,codeorigin.jquery.com Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com www.trellian.com, d2tobj9dlmyzd8.cloudfront.net alt001.www.gstatic.com error.www.gstatic.com, a.www.gstatic.com sddoodlepups.com ransomed.vc not found Data, Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966, Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/, Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info, https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary, Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior, I really have no idea what's going on or how safe this platform is., https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary, https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs, https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark, https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark, https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark, https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark, https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark, https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph, https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details, https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network, http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61, https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user., https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026, https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355, https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz, Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz, CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45, https://otx.alienvault.com/indicator/domain/bunny.net, https://otx.alienvault.com/indicator/ip/210.211.117.205, https://otx.alienvault.com/indicator/ip/143.244.50.212, https://otx.alienvault.com/indicator/ip/125.235.4.59, AV Detection: ELF:Mirai-GH\ [Trj], IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST, IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World), IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ..., Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout, Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz, https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0, cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique, Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen, Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen, Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems, Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems), Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems, https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net, wallpapers-nature.com, Was anyone else notified? I'm not sure why I was., Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links., CS Sigma: Matches rule Python Initiated Connection by frack113, David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT), b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk, Insecure headers found in search histories: games.com, microsoft.com, [email protected] , secure.login.gov, static.secure.login.gov, https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k, https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2, https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js, https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr, Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\u003c | http://www.microsoft.com/lin... |, http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact, https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__, login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder), https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8, server-18-161-6-16.hio52.r.cloudfront.net, http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues), http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs, Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included, Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks, A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in., Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change, Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30, tesco sim = blocked access to otx blank page .txt, App_Privacy_Report_v4_2022-04-17T21_58_23- sim removed 15 mins ago.json.pdf
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 2 years ago · Last seen 4 months ago
Appeared in 4 threat reports