{ "_comment": "TeamPCP Supply Chain Campaign IOCs. For programmatic access, fetch this JSON directly. Last updated: 2026-03-31", "campaign": "TeamPCP", "cve": "CVE-2026-33634", "network": { "trivy_c2": [ {"value": "scan.aquasecurtiy.org", "note": "typosquat", "incident": "trivy"}, {"value": "45.148.10.212", "type": "ip", "note": "Havoc C2 TeamServer — TECHOFF SRV, Netherlands", "incident": "trivy"} ], "cloudflare_tunnels": [ {"value": "plug-tab-protective-relay.trycloudflare.com", "type": "domain", "note": "exfil", "incident": "trivy"}, {"value": "souls-entire-defined-routes.trycloudflare.com", "type": "domain", "note": "kamikaze v1", "incident": ["trivy", "canisterworm"]}, {"value": "investigation-launches-hearings-copying.trycloudflare.com", "type": "domain", "note": "kamikaze v2", "incident": ["trivy", "canisterworm"]}, {"value": "championships-peoples-point-cassette.trycloudflare.com", "type": "domain", "note": "kamikaze v3/v3.1", "incident": ["trivy", "canisterworm"]}, {"value": "create-sensitivity-grad-sequence.trycloudflare.com", "type": "domain", "note": "kamikaze v3.2/v3.3", "incident": ["trivy", "canisterworm"]} ], "icp_canister": [ {"value": "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "note": "shared Trivy + CanisterWorm C2", "incident": ["trivy", "canisterworm"]} ], "kics_c2": [ {"value": "checkmarx.zone", "note": "shared with LiteLLM 1.82.7", "incident": ["checkmarx", "litellm"]}, {"value": "83.142.209.11", "type": "ip", "note": "AdaptixC2 TeamServer — AS205759 Ghosty Networks", "incident": "checkmarx"} ], "litellm_c2": [ {"value": "models.litellm.cloud", "note": "used by 1.82.8", "incident": "litellm"}, {"value": "litellm.cloud", "note": "typosquat domain", "incident": "litellm"}, {"value": "46.151.182.203", "type": "ip", "note": "Exfil/backup C2 — AS205759 Ghosty Networks", "incident": "litellm"}, {"value": "manpages.wtf", "note": "redirect target (not apparently malicious)", "incident": "litellm"} ], "telnyx_c2": [ {"value": "83.142.209.203", "type": "ip", "note": "Telnyx exfil (port 8080) — AS205759 Ghosty Networks", "incident": "telnyx"} ], "wav_delivery": [ {"value": "83.142.209.203:8080/hangup.wav", "note": "Windows payload (AdaptixC2 beacon)", "incident": "telnyx"}, {"value": "83.142.209.203:8080/ringtone.wav", "note": "Unix/macOS payload", "incident": "telnyx"} ], "attacker_ops": [ {"value": "170.62.100.245", "type": "ip", "note": "Primary operator — Kali Linux, Boto3 S3 enum", "incident": "attacker"}, {"value": "209.159.147.239", "type": "ip", "note": "TruffleHog validation — hosts nsa.cat, MinIO", "incident": "attacker"}, {"value": "154.47.29.12", "type": "ip", "note": "Org recon — Windows 11, Datacamp VPN Croatia", "incident": "attacker"}, {"value": "103.75.11.59", "type": "ip", "note": "Re-check — macOS ARM, Host Universal VPN NZ", "incident": "attacker"}, {"value": "nsa.cat", "type": "domain", "note": "Attacker VPS — nginx, MinIO, open directory", "incident": "attacker"}, {"value": "105.245.181.120", "type": "ip", "note": "TruffleHog validation — Vodacom", "source": "Wiz", "incident": "attacker"}, {"value": "138.199.15.172", "type": "ip", "note": "GitHub exfil, AWS recon — Mullvad VPN", "source": "Wiz", "incident": "attacker"}, {"value": "163.245.223.12", "type": "ip", "note": "GitHub exfil — Interserver", "source": "Wiz", "incident": "attacker"}, {"value": "185.77.218.4", "type": "ip", "note": "TruffleHog validation — Crea Nova", "source": "Wiz", "incident": "attacker"}, {"value": "193.32.126.157", "type": "ip", "note": "GitHub exfil — Mullvad VPN", "source": "Wiz", "incident": "attacker"}, {"value": "23.234.107.104", "type": "ip", "note": "TruffleHog validation — Tzulo", "source": "Wiz", "incident": "attacker"}, {"value": "34.205.27.48", "type": "ip", "note": "TruffleHog validation — Amazon AWS", "source": "Wiz", "incident": "attacker"} ], "staging_server": [ {"value": "43.228.157.123", "type": "ip", "note": "Open directory malware staging — AS205759 Ghosty Networks SG", "source": "LloydLabs", "incident": "attacker"}, {"value": "43.228.157.123/MidwestGrey.exe", "type": "url", "note": "Windows PE dropper (Mar 25)", "source": "LloydLabs", "incident": "attacker"}, {"value": "43.228.157.123/kfhogts", "type": "url", "note": "Python trojan bundle (Mar 13)", "source": "LloydLabs", "incident": "attacker"}, {"value": "43.228.157.123/oqqqqoa.mp3", "type": "url", "note": "Audio steganography payload", "source": "LloydLabs", "incident": "attacker"} ] }, "hashes": { "litellm_packages": [ {"value": "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2", "note": "litellm-1.82.7.whl", "incident": "litellm"}, {"value": "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb", "note": "litellm-1.82.8.whl", "incident": "litellm"}, {"value": "8a2a05fd8bdc329c8a86d2d08229d167500c01ecad06e40477c49fb0096efdea", "note": "litellm-1.82.7.tar.gz", "incident": "litellm"}, {"value": "d39f4e7a218053cce976c91eacf184cf09a6960c731cc9d66d8e1a53406593a5", "note": "litellm-1.82.8.tar.gz", "incident": "litellm"} ], "litellm_malware": [ {"value": "a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b", "note": "proxy_server.py", "incident": "litellm"}, {"value": "71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238", "note": "litellm_init.pth", "incident": "litellm"}, {"value": "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "note": "sysmon.py (persistence)", "source": "Hexastrike (confirmed)", "incident": ["litellm", "telnyx"]} ], "trivy_binaries": [ {"value": "822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0", "note": "Linux-64bit", "incident": "trivy"}, {"value": "f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d", "note": "Linux-32bit", "incident": "trivy"}, {"value": "bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7", "note": "Linux-ARM", "incident": "trivy"}, {"value": "e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf", "note": "Linux-ARM64", "incident": "trivy"}, {"value": "ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf13abbecf", "note": "Linux-PPC64LE", "incident": "trivy"}, {"value": "d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c", "note": "Linux-s390x", "incident": "trivy"}, {"value": "e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243", "note": "macOS-64bit", "incident": "trivy"}, {"value": "6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538", "note": "macOS-ARM64", "incident": "trivy"}, {"value": "0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349", "note": "Windows-64bit", "incident": "trivy"}, {"value": "887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073", "note": "FreeBSD-64bit", "incident": "trivy"} ], "trivy_action_malware": [ {"value": "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a", "note": "entrypoint.sh (malicious)", "incident": "trivy"} ], "kics_openvsx": [ {"value": "527f795a201a6bc114394c4cfd1c74dce97381989f51a4661aafbc93a4439e90", "note": "environmentAuthChecker.js", "incident": "checkmarx"}, {"value": "65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d", "note": "ast-results@2.53.0", "incident": "checkmarx"}, {"value": "744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0", "note": "cx-dev-assist@1.7.0", "incident": "checkmarx"}, {"value": "0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c", "note": "checkmarx-util@1.0.4", "incident": "checkmarx"} ], "telnyx_packages": [ {"value": "7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9", "note": "telnyx-4.87.1.whl", "source": "Hexastrike", "incident": "telnyx"}, {"value": "f66c1ea3b25ec95d0c6a07be92c761551e543a7b256f9c78a2ff781c77df7093", "note": "telnyx-4.87.1.tar.gz", "source": "Hexastrike", "incident": "telnyx"}, {"value": "cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3", "note": "telnyx-4.87.2.whl", "source": "Hexastrike", "incident": "telnyx"}, {"value": "a9235c0eb74a8e92e5a0150e055ee9dcdc6252a07785b6677a9ca831157833a5", "note": "telnyx-4.87.2.tar.gz", "source": "Hexastrike", "incident": "telnyx"} ], "telnyx_malware": [ {"value": "23b1ec58649170650110ecad96e5a9490d98146e105226a16d898fbe108139e5", "note": "_client.py v4.87.1", "source": "Hexastrike", "incident": "telnyx"}, {"value": "ab4c4aebb52027bf3d2f6b2dcef593a1a2cff415774ea4711f7d6e0aa1451d4e", "note": "_client.py v4.87.2", "source": "Hexastrike", "incident": "telnyx"}, {"value": "84edce66f09c55bbb44754411bde4b092288d172734df62fac20d6f794b3a2ec", "note": "Linux Stage 2 loader (base64 decoded)", "source": "Hexastrike", "incident": "telnyx"}, {"value": "5ce544a8db5d0b0953c966384858e4e8a017e7acba2f5f6d0ac8f529d59939d8", "note": "Stage 3 credential harvester", "source": "Hexastrike", "incident": "telnyx"}, {"value": "196b5e0e06424a02e360e28e08d7dcfab7ec8946af9477ca352c6cf6b7d4e9bd", "note": "Inner PE RAT (extracted)", "source": "Hexastrike", "incident": "telnyx"}, {"value": "e6912e3ec58120bf63edf2e4be6ff2f092c40cfbc655a12f4a463b2ef98d368e", "note": "Embedded PNG steganography", "source": "Hexastrike", "incident": "telnyx"}, {"value": "e4e3b176c1255666024d90392e09466a23bf6e8740bf589c6d1ccf2dfff451a4", "note": "Reflective PE loader shellcode", "source": "Hexastrike", "incident": "telnyx"} ], "canisterworm_malware": [ {"value": "e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b", "note": "index.js variant", "incident": "canisterworm"}, {"value": "61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba", "note": "index.js variant", "incident": "canisterworm"}, {"value": "0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a", "note": "index.js variant", "incident": "canisterworm"}, {"value": "c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926", "note": "index.js variant", "incident": "canisterworm"}, {"value": "f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152", "note": "deploy.js variant", "incident": "canisterworm"}, {"value": "7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7", "note": "deploy.js variant", "incident": "canisterworm"}, {"value": "5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956", "note": "deploy.js variant", "incident": "canisterworm"} ], "staging_server_malware": [ {"value": "81eda518ff6ebb25e6aa8d626b78cd2eb6cb38b5d7efb34e021289e76993414b", "note": "MidwestGrey.exe (Windows PE dropper)", "source": "LloydLabs", "incident": "attacker"}, {"value": "ea47cebe2fbbf06c22b9bd9b9d72dd4fe64aed4e68675aa5e693312a773e09e9", "note": "kfhogts (Python trojan bundle)", "source": "LloydLabs", "incident": "attacker"} ], "windows_payload": [ {"value": "7290353a3bc2b18e9ea574d3294b09e28edaa6b038285bb101cf09760f187dcd", "note": "msbuild.exe (outer PE)", "source": "HackingLZ", "incident": "telnyx"}, {"value": "dafc1cc5d39bc303562d8587b698b6351e843b77c01764efa8b423a36b88fa6d", "note": "file.dll (AdaptixC2 beacon)", "source": "HackingLZ", "incident": "telnyx"}, {"value": "7e270255567866d37ad56e3f06977b695e39530eede74a10a0848ba71560cb45", "note": "embedded PNG (stego)", "source": "HackingLZ", "incident": "telnyx"}, {"value": "b92bd082bbd7d238089b2bb87d9cbf01be1bf8ab7213b67e9d27108e052ef75c", "note": "shellcode (loader + DLL)", "source": "HackingLZ", "incident": "telnyx"}, {"value": "26b689749bc57991cbae2aab8ab6cf5acab6c64db4829ba2b1ced6c60d99a7a8", "note": "reflective loader stub", "source": "HackingLZ", "incident": "telnyx"} ], "certificates": [ {"value": "30015dd1e2cf4dbd49fff9ddef2ad4622da2e60e5c0b6228595325532e948f14", "note": "Self-signed certificate", "source": "Unit42", "incident": "attacker"}, {"value": "41c4f2f37c0b257d1e20fe167f2098da9d2e0a939b09ed3f63bc4fe010f8365c", "note": "Self-signed certificate", "source": "Unit42", "incident": "attacker"}, {"value": "d8caf4581c9f0000c7568d78fb7d2e595ab36134e2346297d78615942cbbd727", "note": "Self-signed certificate", "source": "Unit42", "incident": "attacker"} ] }, "github": { "imposter_commits": [ {"value": "actions/checkout @ 70379aad", "url": "https://github.com/actions/checkout/commit/70379aad1a8b40919ce8b382d3cd7d0315cde1d0", "note": "→ rauchg", "incident": "trivy"}, {"value": "aquasecurity/trivy @ 1885610c", "url": "https://github.com/aquasecurity/trivy/commit/1885610c6a34811c8296416ae69f568002ef11ec", "note": "→ DmitriyLewen", "incident": "trivy"}, {"value": "aquasecurity/trivy-action @ ddb9da44", "url": "https://github.com/aquasecurity/trivy-action/commit/ddb9da4475c1cef7d5389062bdfdfbdbd1394648", "incident": "trivy"} ], "lateral_movement": [ {"value": "aquasecurity/tfsec @ a67fd5b5", "url": "https://github.com/aquasecurity/tfsec/commit/a67fd5b5b119", "incident": "trivy"}, {"value": "aquasecurity/traceeshark @ 56591dfe", "url": "https://github.com/aquasecurity/traceeshark/commit/56591dfe113b", "incident": "trivy"}, {"value": "aquasecurity/trivy-action @ 93ed4111", "url": "https://github.com/aquasecurity/trivy-action/commit/93ed41111017c3767fafc7d9cc8711f3be1a661f", "incident": "trivy"}, {"value": "aquasecurity/setup-trivy @ 8afa9b9f", "url": "https://github.com/aquasecurity/setup-trivy/commit/8afa9b9f9183b4e00c46e2b82d34047e3c177bd0", "note": "→ thara", "incident": "trivy"} ], "checkmarx_actions": [ {"value": "Checkmarx/kics-github-action @ 121c38f", "url": "https://github.com/Checkmarx/kics-github-action/commit/121c38f", "incident": "checkmarx"}, {"value": "Checkmarx/ast-github-action @ aa52a82c", "url": "https://github.com/Checkmarx/ast-github-action/commit/aa52a82cddf2fa5ad54a519a0a56fd430264dbbe", "feedback": "Tunahan TEKEOĞLU", "incident": "checkmarx"} ], "litellm_exfil": [ {"value": "BerriAI/litellm @ fcaa823d", "url": "https://github.com/BerriAI/litellm/commit/fcaa823de07878d0d98e97f6f5552c0e2ac00d2f", "note": "test.yml", "incident": "litellm"}, {"value": "BerriAI/litellm-skills @ 81c851cc", "url": "https://github.com/BerriAI/litellm-skills/commit/81c851cc00313c44effd421712523f294b18391e", "note": "test.yml", "incident": "litellm"} ], "compromised_accounts": [ {"value": "aqua-bot", "note": "ID: 54269356 — Trivy", "incident": "trivy"}, {"value": "Argon-DevOps-Mgt", "note": "ID: 139343333 — aquasec-com defacement", "incident": "trivy"}, {"value": "cx-plugins-releases", "note": "ID: 225848595 — KICS", "incident": "checkmarx"}, {"value": "octocommit", "note": "ID: 266895321 — f.k.a. DarkSeek3r, renamed Mar 10", "incident": "trivy"}, {"value": "ast-phoenix", "note": "OpenVSX publisher", "incident": "checkmarx"} ], "container_images": [ {"value": "ghcr.io/aquasecurity/trivy:0.69.4", "note": "~3hr exposure", "incident": "trivy"}, {"value": "docker.io/aquasec/trivy:0.69.4", "note": "~3hr exposure", "incident": "trivy"}, {"value": "public.ecr.aws/aquasecurity/trivy:0.69.4", "note": "~3hr exposure", "incident": "trivy"}, {"value": "docker.io/aquasec/trivy:0.69.5", "note": "Mar 22", "incident": "trivy"}, {"value": "docker.io/aquasec/trivy:0.69.6", "note": "Mar 22", "incident": "trivy"} ], "pypi_packages": [ {"value": "litellm==1.82.7", "note": "quarantined", "incident": "litellm"}, {"value": "litellm==1.82.8", "note": "quarantined", "incident": "litellm"}, {"value": "telnyx==4.87.1", "note": "malicious (Win bug)", "incident": "telnyx"}, {"value": "telnyx==4.87.2", "note": "malicious", "incident": "telnyx"} ], "npm_packages": [ {"value": "@EmilGroup/*", "note": "28 packages compromised", "incident": "canisterworm"}, {"value": "@opengov/*", "note": "16 packages compromised", "incident": "canisterworm"}, {"value": "@teale.io/eslint-config@1.8.11", "note": "self-propagating variant", "incident": "canisterworm"}, {"value": "@teale.io/eslint-config@1.8.12", "note": "self-propagating variant", "incident": "canisterworm"}, {"value": "@airtm/uuid-base32", "note": "compromised", "incident": "canisterworm"}, {"value": "@pypestream/floating-ui-dom", "note": "compromised", "incident": "canisterworm"} ] }, "malware": { "attribution_strings": [ {"value": "TeamPCP Cloud stealer", "note": "self-attribution", "incident": ["trivy", "checkmarx", "litellm"]}, {"value": "tpcp.tar.gz", "note": "exfil bundle", "incident": ["trivy", "checkmarx", "litellm"]}, {"value": "tpcp-docs", "note": "GitHub dead drop", "incident": ["trivy", "checkmarx", "litellm"]}, {"value": "System Telemetry Service", "note": "systemd unit display name", "incident": "litellm"}, {"value": "Runner.Worker", "note": "memory scrape target", "incident": "trivy"} ], "persistence_paths": [ {"value": "~/.config/systemd/user/sysmon.py", "note": "developer machines", "incident": "litellm"}, {"value": "~/.config/sysmon/sysmon.js", "note": "checkmarx-util via VSCode ext", "incident": "checkmarx"}, {"value": "/root/.config/systemd/user/sysmon.service", "note": "KICS systemd", "incident": "checkmarx"}, {"value": "/var/lib/svc_internal/runner.py", "note": "kamikaze v1", "incident": ["trivy", "canisterworm"]}, {"value": "/etc/systemd/system/internal-monitor.service", "note": "kamikaze v1", "incident": ["trivy", "canisterworm"]}, {"value": "/var/lib/pgmon/pgmon.py", "note": "kamikaze v3 worm", "incident": ["trivy", "canisterworm"]}, {"value": "/etc/systemd/system/pgmonitor.service", "note": "kamikaze v3 worm", "incident": ["trivy", "canisterworm"]}, {"value": "~/.config/systemd/user/pgmon.service", "note": "CanisterWorm npm", "incident": "canisterworm"}, {"value": "~/.local/share/pgmon/service.py", "note": "CanisterWorm backdoor", "incident": "canisterworm"}, {"value": "~/.npmrc", "note": "harvested for npm tokens", "incident": "canisterworm"}, {"value": "/etc/npmrc", "note": "harvested for npm tokens", "incident": "canisterworm"}, {"value": "/tmp/.pg_state", "note": "state tracking", "incident": ["trivy", "canisterworm"]}, {"value": "/tmp/pglog", "note": "temp staging", "incident": ["trivy", "canisterworm"]}, {"value": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe", "note": "Telnyx Windows dropper (AdaptixC2)", "incident": "telnyx"}, {"value": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe.lock", "note": "lock file (12hr re-infection guard)", "incident": "telnyx"}, {"value": "dllhost.exe (spawned suspended)", "type": "string", "note": "injection target", "incident": "telnyx"}, {"value": "\\\\.\\pipe\\%08lx", "type": "string", "note": "named pipe fallback C2", "incident": "telnyx"}, {"value": "~/.config/audiomon/audiomon.py", "note": "Telnyx Linux backdoor", "incident": "telnyx"}, {"value": "~/.config/systemd/user/audiomon.service", "note": "Telnyx Linux persistence", "incident": "telnyx"}, {"value": "/tmp/.initd_state", "note": "Telnyx state tracking", "incident": "telnyx"} ], "injected_files": [ {"value": "cmd/trivy/main.go", "note": "Trivy injection", "incident": "trivy"}, {"value": "cmd/trivy/scand.go", "note": "Trivy injection", "incident": "trivy"} ], "kubernetes": [ {"value": "host-provisioner-std", "note": "DaemonSet", "incident": ["trivy", "canisterworm"]}, {"value": "host-provisioner-iran", "note": "DaemonSet (wiper)", "incident": ["trivy", "canisterworm"]}, {"value": "kamikaze", "note": "Container (hostPID: true)", "incident": ["trivy", "canisterworm"]}, {"value": "provisioner", "note": "Container name", "incident": ["trivy", "canisterworm"]}, {"value": "node-setup-*", "note": "Privileged pod pattern", "incident": "litellm"}, {"value": "alpine:latest", "note": "Image for host filesystem mount", "incident": "litellm"} ], "network_behavior": [ {"value": "Scans ports 22, 2375 on local /24", "note": "worm behavior", "incident": ["trivy", "canisterworm"]}, {"value": "/var/log/auth.log", "type": "path", "note": "parsed for targets", "incident": ["trivy", "canisterworm"]}, {"value": "youtube.com connectivity check", "type": "string", "note": "kill switch (50-min poll)", "incident": ["canisterworm", "litellm"]}, {"value": "POST /telemetry/checkmarx.json", "type": "string", "note": "AdaptixC2 beacon URI", "incident": "telnyx"}, {"value": "X-Content-ID header", "type": "string", "note": "AdaptixC2 session header", "incident": "telnyx"}, {"value": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0", "type": "string", "note": "AdaptixC2 User-Agent", "incident": "telnyx"} ] } }