{ "id": "d63a4db7-590e-4302-8854-656e28bdd643", "created_at": "2026-04-06T00:19:05.559719Z", "updated_at": "2026-04-10T03:31:46.352453Z", "deleted_at": null, "sha1_hash": "a013864facd4281e5db3715fa0ef31238562db6b", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 281263, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy msudosos\r\nArchived: 2026-04-02 10:45:03 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 1 of 9\n\n39 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 2 of 9\n\n133 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 3 of 9\n\n133 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 4 of 9\n\nACTIVIDAD MALICIOSA | Relacionada con Amadey 05-05-2025\r\nFileHash-MD5: 60 | FileHash-SHA1: 61 | FileHash-SHA256: 60 | URL: 5 | YARA: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 5 of 9\n\nIf you want to create an interactive image, try Genially, a free online design and design app that lets you design, create\r\nand create interactive images for your friends, family and friends..\r\n26 Subscribers\r\n224 Subscribers\r\nBlack Tech\r\nCIDR: 1 | CVE: 37 | FileHash-MD5: 2449 | FileHash-SHA1: 217 | FileHash-SHA256: 3441 | URL: 2044 | Domain:\r\n258 | Email: 4 | Hostname: 1100\r\nFound in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly\r\ndependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and\r\nassociates.\r\n224 Subscribers\r\nQbot\r\nCVE: 10 | FileHash-MD5: 1424 | FileHash-SHA1: 983 | FileHash-SHA256: 3174 | URL: 3167 | Domain: 4091 |\r\nEmail: 25 | Hostname: 2422\r\n224 Subscribers\r\nBazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage\r\nCVE: 5 | FileHash-MD5: 2428 | FileHash-SHA1: 2136 | FileHash-SHA256: 5377 | SSLCertFingerprint: 4 | URL:\r\n2401 | Domain: 3794 | Email: 19 | Hostname: 2763\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 6 of 9\n\nFound periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado,\r\nUSA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\r\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\r\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\r\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader\r\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7\r\n224 Subscribers\r\n224 Subscribers\r\n480 Subscribers\r\n218 Subscribers\r\nNokoyawa Ransomware - https://house.mo.gov/\r\nCVE: 4 | FileHash-MD5: 194 | FileHash-SHA1: 191 | FileHash-SHA256: 2376 | URL: 4388 | Domain: 1414 |\r\nEmail: 5 | Hostname: 1699\r\nCyber attack including Pegasus found in https://house.mo.gov/ This Observed links: dns.msftncsi.com •\r\nhttps://dns.msftncsi.com/ • http://dns.msftncsi.com/Appears to attacking with heightened privilege escalation. Links\r\noriginated from https://safebae.org attack, various Westlaw links and links attacking a private citizen. HallRender is\r\nmalware hosting domain featuring an aggressive 'Brian Sabey' representing self as attorney protecting white collar\r\nindividuals accused of SA is attacker. Boldly contacts victims via mail, email, phone, text, invites, personal invitations\r\nto office. Front facing https://safebae.org, a 'tribute' domain may mention alleged SA victim Daisy Coleman. Research\r\nconfirms no mention of 'Daisy' safebae is filled with cyber bullying toolkit; ransomware.csv, tracking, westlaw, tagging\r\ntools, pornhub, rallypoint, adult malvertizing content targeting a Colorado SA victim. It's all very real but so\r\nunbelievable. Malware spreading, cyberthreat\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 7 of 9\n\n218 Subscribers\r\n224 Subscribers\r\nVirTool:Win32/AccessMe | Ghost RAT\r\nCVE: 1 | FileHash-MD5: 143 | FileHash-SHA1: 130 | FileHash-SHA256: 1524 | SSLCertFingerprint: 2 | URL:\r\n3340 | Domain: 1735 | Email: 6 | Hostname: 1398\r\n224 Subscribers\r\n224 Subscribers\r\nHoneypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,\r\nCVE: 5 | FileHash-MD5: 2213 | FileHash-SHA1: 1921 | FileHash-SHA256: 4239 | SSLCertFingerprint: 4 | URL:\r\n1509 | Domain: 3480 | Email: 17 | Hostname: 2466\r\nFound periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado,\r\nUSA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\r\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\r\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\r\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader\r\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\r\nTarget: Critical Risk. In person contact made. Fraud services offered. This is crazy.\r\n224 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 8 of 9\n\n218 Subscribers\r\n218 Subscribers\r\n218 Subscribers\r\nPEXE - DOS executable (COM)\r\nCVE: 2 | FileHash-MD5: 153 | FileHash-SHA1: 71 | FileHash-SHA256: 1690 | URL: 9526 | Domain: 4882 | Email:\r\n250 | Hostname: 6120\r\n218 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DNSpionage\r\nPage 9 of 9\n\nACTIVIDAD MALICIOSA https://otx.alienvault.com/browse/pulses?q=tag:DNSpionage | Relacionada con Amadey 05-05-2025 \nFileHash-MD5: 60 | FileHash-SHA1: 61 | FileHash-SHA256: 60 | URL: 5 | YARA: 1\n Page 5 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:DNSpionage" ], "report_names": [ "pulses?q=tag:DNSpionage" ], "threat_actors": [ { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775791906, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a013864facd4281e5db3715fa0ef31238562db6b.pdf", "text": "https://archive.orkl.eu/a013864facd4281e5db3715fa0ef31238562db6b.txt", "img": "https://archive.orkl.eu/a013864facd4281e5db3715fa0ef31238562db6b.jpg" } }