{
	"id": "b06dce16-f4b7-4941-aaf0-fc51061f8153",
	"created_at": "2026-04-06T00:08:59.190345Z",
	"updated_at": "2026-04-10T13:12:19.853071Z",
	"deleted_at": null,
	"sha1_hash": "68453a0d0e6127c9512804176ab7f110e04a680d",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 311378,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 13:46:27 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 1 of 13\n\nKeeping our hand on Pulse. Mythic Likho cyberattacks on Russia's C.I.A\r\nFileHash-MD5: 35 | FileHash-SHA1: 35 | FileHash-SHA256: 35 | Domain: 19\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 2 of 13\n\nThe Mythic Likho group has been conducting sophisticated cyberattacks on Russian critical infrastructure since\r\nSeptember 2024, utilizing a variety of malware tools including the Loki backdoor and the Merlin bootloader. Key\r\nmethodologies include extensive reconnaissance of targets, where the group gathers detailed information about\r\nvictims’ organizational structure, associated entities, email addresses, and business roles. This intelligence aids in\r\ncrafting convincing phishing campaigns aimed at infiltrating target networks. Mythic Likho employs social\r\nengineering tactics, mimicking legitimate organizations to create trustworthy email addresses used for phishing.\r\nThe group registers domains with Russian cloud services and often deploys virtual servers to facilitate their\r\noperations, leveraging platforms like Cloudflare to obscure their malicious IP addresses.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 3 of 13\n\n37 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 4 of 13\n\nmacOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net\r\nCIDR: 12 | CVE: 40 | FileHash-MD5: 223 | FileHash-SHA1: 523 | FileHash-SHA256: 2356 |\r\nSSLCertFingerprint: 302 | URL: 14263 | Domain: 3847 | Email: 223 | Hostname: 4449\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 5 of 13\n\nThis pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native\r\nApple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like\r\nendpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net. The\r\ninfrastructure is composed of dynamically generated subdomains — many in the form of device-\r\n\u003cUUID\u003e.remotewd.com — indicative of automated deployment, system tracking, or per-host remote access\r\nconfigurations. Additional indicators include HTTP/S URLs pointing directly to embedded binary paths within\r\nmacOS agents, suggesting possible delivery vectors, staging, or persistence techniques. This campaign shows\r\nsigns of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale\r\nsurveillance or access operations. All listed indicators should be considered high-risk. If observed in your\r\nenvironment, initiate a full forensic and IR process immediately.\r\n30 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 6 of 13\n\nAISHAH LAZIM - Import Customs Data Records - ImportKey\r\nCIDR: 2 | CVE: 2 | FileHash-MD5: 1014 | FileHash-SHA256: 56 | URL: 253 | Domain: 181 | Email: 26 |\r\nHostname: 149\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 7 of 13\n\nMacBook M2 chip bound to an unauthorized Microsoft Active Directory (AD) network, granting external control\r\nand command over the device. This situation has facilitated the illicit sale of personally identifiable information\r\n(PII) on the dark web. The criminal network responsible for this activity continues to grow at an alarming rate,\r\nwhile government authorities have remained largely inactive in addressing the issue.\r\n30 Subscribers\r\n316 Subscribers\r\n316 Subscribers\r\n32 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 8 of 13\n\nRansomHub\r\nCVE: 9 | FileHash-SHA256: 24 | URL: 103 | Domain: 19 | Email: 2 | Hostname: 20\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 9 of 13\n\nRansomHub is a ransomware-as-a-service group focusing on financial gain through cyber extortion. It targets\r\nvarious sectors, including healthcare, government, and critical infrastructure, while explicitly avoiding attacks on\r\ncertain countries like Cuba, North Korea, and China. Their methods include double extortion, where they encrypt\r\nvictims' data and exfiltrate it for ransom, often demanding payment via a unique .onion URL. Victims receive a\r\nransom note with a client ID and a deadline for payment before their data is leaked.\r\n25 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 10 of 13\n\nThe Real Jane Doe Syndrome Files\r\nCIDR: 3 | FileHash-SHA256: 219 | URL: 618 | Domain: 285 | Email: 21 | Hostname: 306\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 11 of 13\n\nAn array of scripts and files designed to completely compromise your MacBook and effectively erase your digital\r\nidentity from the internet exists. This type of targeted attack is perpetrated by various groups for political or\r\nmonetary agendas. It gradually takes over your devices and consumes your energy, time, career, and overall\r\nquality of life. In my case, the adversary involved is the DragonForce Malaysia Hacker Group.\r\n30 Subscribers\r\nPython: OVSAgentServer Document (autofilled name)\r\nCIDR: 14 | CVE: 76 | FileHash-MD5: 52 | FileHash-SHA1: 48 | FileHash-SHA256: 841 | URL: 218 |\r\nDomain: 288 | Email: 33 | Hostname: 180\r\nHere is the full text of the Vuze-dht-info script, which is written by \"Patrik Karlsson\" and followed by the\r\nfollowing:-1-2-3. (Autofilled). This was pulled from a Windows 11 Hidden Folder from UAlberta Sample Device.\r\n128 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 12 of 13\n\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\n1,524 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:nmap\r\nPage 13 of 13\n\nKeeping our hand on Pulse. https://otx.alienvault.com/browse/pulses?q=tag:nmap Mythic Likho cyberattacks on Russia's C.I.A\nFileHash-MD5: 35 | FileHash-SHA1: 35 | FileHash-SHA256:  35 | Domain: 19\n   Page 2 of 13  \n\nmacOS Threat Infrastructure https://otx.alienvault.com/browse/pulses?q=tag:nmap Leveraging Remote Agents via remotewd.com and rtmsprod.net\nCIDR: 12 | CVE: 40 | FileHash-MD5: 223 | FileHash-SHA1:  523 | FileHash-SHA256: 2356 |\nSSLCertFingerprint: 302 | URL: 14263 | Domain: 3847 | Email: 223 | Hostname: 4449\n   Page 5 of 13  \n\nRansomHub https://otx.alienvault.com/browse/pulses?q=tag:nmap    \nCVE: 9 | FileHash-SHA256: 24 | URL: 103 | Domain: 19 | Email: 2 | Hostname: 20\n  Page 9 of 13  \n\nThe Real Jane Doe Syndrome https://otx.alienvault.com/browse/pulses?q=tag:nmap Files    \nCIDR: 3 | FileHash-SHA256: 219 | URL: 618 | Domain: 285 | Email: 21 | Hostname: 306\n  Page 11 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:nmap"
	],
	"report_names": [
		"pulses?q=tag:nmap"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "531c57fb-7453-495b-99e8-e29acebe5d26",
			"created_at": "2026-04-10T02:00:04.014201Z",
			"updated_at": "2026-04-10T02:00:04.014201Z",
			"deleted_at": null,
			"main_name": "Mythic Likho",
			"aliases": [
				"Arcane Werewolf"
			],
			"source_name": "MISPGALAXY:Mythic Likho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434139,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68453a0d0e6127c9512804176ab7f110e04a680d.pdf",
		"text": "https://archive.orkl.eu/68453a0d0e6127c9512804176ab7f110e04a680d.txt",
		"img": "https://archive.orkl.eu/68453a0d0e6127c9512804176ab7f110e04a680d.jpg"
	}
}