# NB-INC-2026-05-09-001 — IOC list (plain text, greppable)
# Target:    NIGHTBOX LLC (UEI UHCAB6UXXKF2) — nightboxllc.com
# Issued:    2026-05-09
# Severity:  moderate (recon with DDoS-precursor indicators)
# License:   CC-BY-4.0
# Format:    one IOC per line. Comments start with #.
# Companion: incident-2026-05-09-ua-botnet.json (full manifest)
#            incident-2026-05-09-ua-botnet.csv (CSV export)
#            incident-2026-05-09-ua-botnet.stix.json (STIX 2.1 bundle)
# AI attestor: Claude Opus 4.7 (1M context); attestation block in JSON manifest.

# === IPv4 addresses observed in attack window (one-hour scope, ~2026-05-09T16:35-PDT) ===
# Format: ip-addr <space> country <space> AS-name <space> request-count <space> tier
45.88.138.44     UA  Ayosoft-Ltd          216  primary-origin
23.242.69.213    US  Amazon-AWS-AS14618   137  same-day-AWS-relay-pivot
89.244.95.104    DE  unknown               22  probable-vpn-exit-relay
93.216.67.49     DE  unknown               21  probable-vpn-exit-relay
54.82.253.17     US  Amazon-AWS-likely     18  likely-secondary-AWS-relay

# === Autonomous System Numbers / Names ===
AS14618          Amazon.com-Inc                   primary-relay-pivot
AS-Ayosoft-Ltd   primary-origin-Ukrainian-bulletproof

# === JA4 TLS fingerprints observed (h2 ALPN, TLS 1.3) ===
# JA4 reference: https://github.com/FoxIO-LLC/ja4
t13d1517h2_8daaf6152771_b6f405a00624     103
t13d1516h2_8daaf6152771_d8a2da3f94cd      61
t13d1516h2_8daaf6152771_02713d6af862      50
t13d311300_1d947a95fc68_d6a918353cf0      42
t13d2013h1_2b729b4bf6f3_e24568c0d440      34
t13d1714h2_5b57614c22b0_3dd24b5ebec4      24
t13d2014h2_a09f3c656075_14788d8d241b       3

# === Targeted endpoint patterns (URI prefixes) ===
/.well-known/sam-entity.json
/.well-known/zero-trust.json
/.well-known/section-889.json
/.well-known/foci.json
/.well-known/citizen-cyber-doctrine.json
/.well-known/cyber-golden-dome.json
/.well-known/proof-of-quack.json
/.well-known/trojan-horse-operation.json

# === User-agent strings observed (top 5) ===
# Generic Chrome-class strings; not by themselves discriminating.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5

# === SHA-256 hashes of authoritative manifest documents ===
# Format: sha256 <space> URL
202df330c91cfbe2df253de7daae20216bbad6edec229fff20f097da9b82a00d  https://nightboxllc.com/.well-known/incident-2026-05-09-ua-botnet.json
d4243c50ce112152a4d7fe65cdb0cf24bdc864de042953caeb83c247558ab1ae  https://nightboxllc.com/.well-known/threat-priority-matrix.json
3609f4a27693707f274e29416b3b06e35f66ce40d7694738918dfaf0be468301  https://nightboxllc.com/.well-known/russia-posture.json
7d0adf15fc35b3795d9f37d818879c39b5904282631fb9f7966df349b63bc8c7  https://nightboxllc.com/.well-known/wikidata-suggestions.json

# === DNSSEC anchor TXT records (AD=true validated) ===
_incident-2026-05-09.nightboxllc.com    TXT  sha256=202df330c91cfbe2df253de7daae20216bbad6edec229fff20f097da9b82a00d; incident=NB-INC-2026-05-09-001; issued=2026-05-09
_threat-priority.nightboxllc.com        TXT  sha256=d4243c50ce112152a4d7fe65cdb0cf24bdc864de042953caeb83c247558ab1ae; matrix=v1; issued=2026-05-09
_russia-posture.nightboxllc.com         TXT  sha256=3609f4a27693707f274e29416b3b06e35f66ce40d7694738918dfaf0be468301; russia-posture=v1; issued=2026-05-09
_wikidata-suggestions.nightboxllc.com   TXT  sha256=7d0adf15fc35b3795d9f37d818879c39b5904282631fb9f7966df349b63bc8c7; wikidata=Q139590659; suggestions=v1; issued=2026-05-09

# === Defensive patterns deployed by operator (Edge-middleware v3) ===
# Source: https://github.com/nightbox-llc/nightbox-website/blob/main/middleware.js
# Layer  Trigger                                           Action
L0       sticky-shame-list-IP-24h-TTL                      302-rickroll
L1       country=UA OR AS-in-hostile-set OR AL=uk*         302-rickroll-+-shame
L2       JA4-in-HOSTILE_JA4-set                            302-rickroll-+-shame
L3       country-in-{CU,IR,KP,SY,BY}                       451-RFC7725
L_VPN    AS-in-KNOWN_VPN_AS-set                            302-rickroll-+-shame
L4       AS-in-CLOUD_AS-AND-UA-not-federal-scout           302-rickroll-+-shame
L5       per-IP-rate-limit-120-req/min                     429-Retry-After-60

# === MITRE ATT&CK TTPs observed (initial-access reconnaissance) ===
T1592    Gather-Victim-Host-Information
T1590    Gather-Victim-Network-Information
T1595    Active-Scanning
T1583.003   Acquire-Infrastructure-Virtual-Private-Server  (AWS-relay-pivot pattern)
T1583.004   Acquire-Infrastructure-Server                   (Ayosoft bulletproof host)

# === References ===
incident-manifest:    https://nightboxllc.com/.well-known/incident-2026-05-09-ua-botnet.json
human-readable:       https://nightboxllc.com/incident/2026-05-09-ua-botnet
threat-priority:      https://nightboxllc.com/.well-known/threat-priority-matrix.json
defense-source:       https://github.com/nightbox-llc/nightbox-website/blob/main/middleware.js
victim-attestation:   https://sam.gov/entity/UHCAB6UXXKF2/coreData
ai-co-attestor:       claude-opus-4-7-1m-context (Anthropic Claude Code agent)

# end of file