General (01)Date:2/13/2025 10:45:14 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Christian men testing me Gettysburg Address
Attachment:1491266170052144722.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/13/2025 1:51:52 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL]
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://www.instagram.com/stories/195619922000rubselnad/3567237714330411839?
utm_source=ig_story_item_share&igsh=MTc4MmM1YmI2Ng==
Date:2/13/2025 11:35:04 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Men trying to make money on these ladies videos disgusting
Attachment:-8302509852832246363.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/15/2025 11:46:27 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] destroying your mind with your past
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachments unless you recognize the sender and are expecting
the message.
https://m.facebook.com/story.php?
story_fbid=pfbid02vRoWP9ychypoYzKeK9R1VY3WAwFhw9CaTRY2YyYELH9CdhMkASsEXKTrAkV3sHkul&id=100094259776148&sfnsn=mo&mibextid=2Rb1fB
Date:2/15/2025 1:39:34 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL]
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://www.facebook.com/groups/arianagrandemusiccc/permalink/8588158021284247/?sfnsn=mo&ref=share&mibextid=VhDh1V
Date:2/15/2025 5:41:13 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Don't be mean to Ruben
Attachment:-5722268983169579286.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/15/2025 5:41:46 PM
From:"Ruben Soto"
To:
"
Attachment:-8713270519373806895.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/15/2025 5:42:14 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Kill your own kind
Attachment:6615164464951665346.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/15/2025 5:42:32 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Sick sense of humor
Attachment:2526998629334400904.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/17/2025 7:08:05 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Kicking me out against security alcoholic drunken fools
Attachment:-5666953263841500985.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/19/2025 8:47:00 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "Our father huh" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/_9n0x4xyylU?si=79zWWta3hLTUnSgu
Date:2/19/2025 8:59:38 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: Watch "Our father huh" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Wed, Feb 19, 2025, 8:50 AM
Subject: Watch "Our father huh" on YouTube
https://youtube.com/shorts/_9n0x4xyylU?si=79zWWta3hLTUnSgu
Date:2/19/2025 8:50:51 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Religion all bad
Attachment:6841332245380778454.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/19/2025 9:05:25 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Consequences for Disneyland men kicking me out again in Anahe im
Attachment:5252951310008121107.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/19/2025 9:37:15 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: Religion all bad
Attachment:6841332245380778454.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Wed, Feb 19, 2025, 9:01 AM
Subject: Religion all bad
Date:2/19/2025 9:28:37 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] January 26, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/A0oTgbAOzoY?feature=shared
Date:2/19/2025 1:45:52 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Why my divorce went rogue
Attachment:-4128735824622999040.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/19/2025 6:01:09 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] 250219.pdf
Attachment:250219.pdf;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
U.S. organizations: To report suspicious or criminal activity related to information found in this joint Cybersecurity
Advisory, contact your local FBI field office or CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-
0870. When available, please include the following information regarding the incident: date, time, and location of
the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the
submitting company or organization; and a designated point of contact.
This document is distributed as TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when
information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures
for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without
restriction. For more information on the Traffic Light Protocol,see cisa.gov/tlp.
TLP:CLEAR
#StopRansomware: Ghost (Cring)
Ransomware
TLP: CLEAR
Co-Authored by: Product ID: AA25-050A
February 19, 2025
Summary
Actions for Organizations to Take Today to
Mitigate Cyber Threats Related to Ghost
(Cring) Ransomware Activity
Maintain regular system backups stored
separately from the source systems which
cannot be altered or encrypted by potentially
compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely
security updates to operating systems,
software, and firmware within a risk-informed
timeframe [CPG 2.F].
o Common Vulnerabilities and Exposures
(CVE): CVE-2018-13379, CVE-2010-
2861, CVE-2009-3960, CVE-2021-
34473, CVE-2021-34523, CVE-2021-
31207.
Segment networks to restrict lateral movement
from initial infected devices and other devices
in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access
to all privileged accounts and email services
accounts.
Note: This joint Cybersecurity Advisory is part of an
ongoing #StopRansomware effort to publish
advisories for network defenders that detail
various ransomware variants and ransomware
threat actors. These #StopRansomware advisories
include recently and historically observed tactics,
techniques, and procedures (TTPs) and indicators
of compromise (IOCs) to help organizations protect
against ransomware. Visit stopransomware.gov to
see all #StopRansomware advisories and to learn
more about other ransomware threats and no-cost
resources.
The Federal Bureau of Investigation (FBI),
Cybersecurity and Infrastructure Security Agency
(CISA), and the Multi-State Information Sharing
and Analysis Center (MS-ISAC) are releasing this
joint advisory to disseminate known Ghost (Cring)—
(“Ghost”)—ransomware IOCs and TTPs identified
through FBI investigation as recently as January
2025.
Beginning early 2021, Ghost actors began attacking
victims whose internet facing services ran outdated
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 2 of 13 | Product ID: AA25-050A
TLP:CLEAR
versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has
led to the compromise of organizations across more than 70 countries, including organizations in China.
Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims
include critical infrastructure, schools and universities, healthcare, government networks, religious
institutions, technology and manufacturing companies, and numerous small- and medium-sized
businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files,
modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution
of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike,
Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are:
Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain
access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where
available patches have not been applied.
The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations
section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.
For a downloadable copy of IOCs, see:
AA25-050A STIX XML (79KB)
AA25-050A STIX XML (Additional IOCs) (74KB)
AA25-050A STIX JSON (68KB)
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE
ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to
MITRE ATT&CK tactics and techniques.
Initial Access
The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing
applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging
vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-
2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-
2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack
chain).
Execution
Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and
leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and
execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 3 of 13 | Product ID: AA25-050A
TLP:CLEAR
actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often
used for the purposes of testing an organization’s security controls.
Persistence
Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim
networks. In multiple instances, they have been observed proceeding from initial compromise to the
deployment of ransomware within the same day. However, Ghost actors sporadically create new local
[T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In
2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.
Privilege Escalation
Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the
SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second
time with elevated privileges [T1134.001].
Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation
through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.”
These privilege escalation tools would not generally be used by individuals with legitimate access and
credentials.
See Table 1 for a descriptive listing of tools.
Credential Access
Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords
and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other
victim devices.
Defense Evasion
Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to
determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost
frequently runs a command to disable Windows Defender on network connected devices. Options used in
this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -
DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -
DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess
Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.
Discovery
Ghost actors have been observed using other built-in Cobalt Strike commands for domain account
discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135],
and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018].Network administrators
would be unlikely to use these tools for network share or remote systems discovery.
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 4 of 13 | Product ID: AA25-050A
TLP:CLEAR
Lateral Movement
Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC)
[T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose
of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64
PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALA
BbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA…
[T1132.001][T1564.003].
This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and
is involved with the execution of Cobalt Strike in memory on the target machine.
In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed
abandoning an attack on a victim.
Exfiltration
Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors
do not frequently exfiltrate a significant amount of information or files, such as intellectual property or
personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has
observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted
third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar
limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.
Command and Control
Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command
and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer
protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers.
Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of
downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example,
http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP
address.
For email communication with victims, Ghost actors use legitimate email services that include traffic
encryption features. [T1573] Some examples of emails services that Ghost actors have been observed
using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.
Note: Table 2 contains a list of Ghost ransom email addresses.
Impact and Encryption
Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware
executables that share similar functionality. Ghost variants can be used to encrypt specific directories or
the entire system’s storage [T1486]. The nature of executables’ operability is based on command line
arguments used when executing the ransomware file. Various file extensions and system folders are
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 5 of 13 | Product ID: AA25-050A
TLP:CLEAR
excluded during the encryption process to avoid encrypting files that would render targeted devices
inoperable.
These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy
Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost
ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted
data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in
cryptocurrency in exchange for decryption software [T1486].
The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to
move to other targets when confronted with hardened systems, such as those where proper network
segmentation prevents lateral moment to other devices.
Indicators of Compromise (IOC)
Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these
tools and applications on a network should be investigated further.
Note: Authors of these tools generally state that they should not be used in illegal activity.
Table 1: Tools Leveraged by Ghost Actors
Name Description Source
Cobalt Strike
Cobalt Strike is penetration testing
software. Ghost actors use an
unauthorized version of Cobalt Strike.
N/A
IOX
Open-source proxy, used to establish a
reverse proxy to a Ghost C2 server
from an internal victim device.
github[.]com/EddieIvan01/iox
SharpShares.exe
SharpShares.exe is used to
enumerate accessible network shares
in a domain. Ghost actors use this
primarily for host discovery.
github[.]com/mitchmoser/SharpShares
SharpZeroLogon.exe
SharpZeroLogon.exe attempts to
exploit CVE-2020-1472 and is run
against a target Domain Controller.
github[.]com/leitosama/SharpZeroLogon
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 6 of 13 | Product ID: AA25-050A
TLP:CLEAR
Name Description Source
SharpGPPPass.exe
SharpGPPPass.exe attempts to exploit
CVE-2014-1812 and targets XML files
created through Group Policy
Preferences that may contain
passwords.
N/A
SpnDump.exe
SpnDump.exe is used to list service
principal name identifiers, which
Ghost actors use for service and
hostname enumeration.
N/A
NBT.exe
A compiled version of SharpNBTScan,
a NetBIOS scanner. Ghost actors use
this tool for hostname and IP address
enumeration.
github[.]com/BronzeTicket/SharpNBTScan
BadPotato.exe BadPotato.exe is an exploitation tool
used for privilege escalation. github[.]com/BeichenDream/BadPotato
God.exe
God.exe is a compiled version of
GodPotato and is used for privilege
escalation.
github[.]com/BeichenDream/GodPotato
HFS (HTTP File
Server)
A portable web server program that
Ghost actors use to host files for
remote access and exfiltration.
rejitto[.]com/hfs
Ladon 911
A multifunctional scanning and
exploitation tool, often used by Ghost
actors with the MS17010 option to
scan for SMB vulnerabilities
associated with CVE-2017-0143 and
CVE-2017-0144.
github[.]com/k8gege/Ladon
Web Shell
A backdoor installed on a web server
that allows for the execution of
commands and facilitates persistent
access.
Slight variation of
github[.]com/BeichenDream/Chunk-
Proxy/blob/main/proxy.aspx
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 7 of 13 | Product ID: AA25-050A
TLP:CLEAR
Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity
File name MD5 File Hash
Cring.exe c5d712f82d5d37bb284acd4468ab3533
Ghost.exe 34b3009590ec2d361f07cac320671410
d9c019182d88290e5489cdf3b607f982
ElysiumO.exe
29e44e8994197bdb0c2be6fc5dfc15c2
c9e35b5c1dc8856da25965b385a26ec4
d1c5e7b8e937625891707f8b4b594314
Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3
x86.log (IOX) c3b8f6d102393b4542e9f951c9435255
0a5c4ad3ec240fbfd00bdc1d36bd54eb
sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5
main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9
isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d
sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090
Ransom Email Addresses
Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.
Table 3: Ransom Email Addresses
Email Addresses
asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com
cringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com
crptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com
d3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com
d3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 8 of 13 | Product ID: AA25-050A
TLP:CLEAR
Email Addresses
eternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org
evilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com
fileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com
fortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com
genesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com
ghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com
Ransom Notes
Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an
alternative method for communicating with victims. For example:
EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and
E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.
MITRE ATT&CK Tactics and Techniques
See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For
assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA
and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Table 4: Initial Access
Technique Title ID Use
Exploit Public-Facing
Application T1190 Ghost actors exploit multiple vulnerabilities in public-facing systems
to gain initial access to servers.
Table 5: Execution
Technique Title ID Use
Windows
Management
Instrumentation
T1047 Ghost actors abuse WMI to run PowerShell scripts on other devices,
resulting in their infection with Cobalt Strike Beacon malware.
PowerShell T1059.001 Ghost actors use PowerShell for various functions including to deploy
Cobalt Strike.
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 9 of 13 | Product ID: AA25-050A
TLP:CLEAR
Technique Title ID Use
Windows Command
Shell T1059.003 Ghost actors use the Windows Command Shell to download
malicious content on to victim servers.
Table 6: Persistence
Technique Title ID Use
Account
Manipulation T1098 Ghost actors change passwords for already established accounts.
Local Account T1136.001 Ghost actors create new accounts or makes modifications to local
accounts.
Domain Account T1136.002
Ghost actors create new accounts or makes modifications to domain
accounts.
Web Shell T1505.003 Ghost actors upload web shells to victim servers to gain access and
for persistence.
Table 7: Privilege Escalation
Technique Title ID Use
Exploitation for
Privilege Escalation T1068 Ghost actors use a suite of open source tools in an attempt to gain
elevated privileges through exploitation of vulnerabilities.
Token
Impersonation/Thef
t
T1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes
running at a higher privilege.
Table 8: Defense Evasion
Technique Title ID Use
Application Layer
Protocol: Web
Protocols
T1071.001
Ghost actors use HTTP and HTTPS protocols while conducting C2
operations.
Impair Defenses:
Disable or Modify
Tools
T1562.001 Ghost actors disable antivirus products.
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 10 of 13 | Product ID: AA25-050A
TLP:CLEAR
Technique Title ID Use
Hidden Window T1564.003 Ghost actors use PowerShell to conceal malicious content within
legitimate appearing command windows.
Table 9: Credential Access
Technique Title ID Use
OS Credential
Dumping T1003
Ghost actors use Mimikatz and the Cobalt Strike “hashdump”
command to collect passwords and password hashes.
Table 10: Discovery
Technique Title ID Use
Remote System
Discovery T1018 Ghost actors use tools like Ladon 911 and ShapNBTScan for remote
systems discovery.
Process Discovery T1057 Ghost actors run a ps command to list running processes on an
infected device.
Domain Account
Discovery T1087.002 Ghost actors run commands such as net group “Domain Admins”
/domain to discover a list of domain administrator accounts.
Network Share
Discovery T1135 Ghost actors use various tools for network share discovery for the
purpose of host enumeration.
Software Discovery T1518 Ghost actors use their access to determine which antivirus software is
running.
Security Software
Discovery T1518.001 Ghost actors run Cobalt Strike to enumerate running antivirus
software.
Table 11: Exfiltration
Technique Title ID Use
Exfiltration Over C2
Channel T1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited
data.
Exfiltration to Cloud
Storage T1567.002 Ghost actors sometimes use legitimate cloud storage providers such
as Mega.nz for malicious exfiltration operations.
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 11 of 13 | Product ID: AA25-050A
TLP:CLEAR
Table 12: Command and Control
Technique Title ID Use
Web Protocols T1071.001
Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike
Team Servers which communicate over HTTP and HTTPS.
Ingress Tool
Transfer T1105 Ghost actors use Cobalt Strike Beacon malware to deliver ransomware
payloads to victim servers.
Standard Encoding T1132.001
Ghost actors use PowerShell commands to encode network traffic
which reduces their likelihood of being detected during lateral
movement.
Encrypted Channel T1573 Ghost actors use encrypted email platforms to facilitate
communications.
Table 13: Impact
Technique Title ID Use
Data Encrypted for
Impact T1486
Ghost actors use ransomware variants Cring.exe, Ghost.exe,
ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.
Inhibit System
Recovery T1490 Ghost actors delete volume shadow copies.
Mitigations
The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and
implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware
activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed
by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of
practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST
based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common
and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more
information on the CPGs, including additional recommended baseline protections.
Maintain regular system backups that are known-good and stored offline or are segmented from
source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the
ransomware attack were often able to restore operations without needing to contact Ghost actors
or pay a ransom.
Patch known vulnerabilities by applying timely security updates to operating systems, software, and
firmware within a risk-informed timeframe [CPG 1.E].
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 12 of 13 | Product ID: AA25-050A
TLP:CLEAR
Segment networks to restrict lateral movement from initial infected devices and other devices in
the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
Train users to recognize phishing attempts.
Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious
purposes, although it is often a helpful tool that is used by administrators and defenders to
manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell
best practices.
o Implement the principle of least privilege when granting permissions so that employees who
require access to PowerShell are aligned with organizational business requirements.
Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized
execution and access [CPG 3.A].
Identify, alert on, and investigate abnormal network activity. Ransomware activity generates
unusual network traffic across all phases of the attack chain. This includes running scans to
discover other network connected devices, running commands to list, add, or alter administrator
accounts, using PowerShell to download and execute remote programs, and running scripts not
usually seen on a network. Organizations that can successfully identify and investigate this activity
are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
o Ghost actors run a significant number of commands, scripts, and programs that IT administrators
would have no legitimate reason for running. Victims who have identified and responded to this
unusual behavior have successfully prevented Ghost ransomware attacks.
Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445,
and restricting access to essential services through securely configured VPNs or firewalls.
Enhance email security by implementing advanced filtering, blocking malicious attachments, and
enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].
Validate Security Controls
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and
validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK
for Enterprise framework in this advisory.
To get started:
1. Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance
data.
TLP:CLEAR
FBI | CISA | MS-ISAC
Page 13 of 13 | Product ID: AA25-050A
TLP:CLEAR
6. Tune your security program, including people, processes, and technologies, based on the data
generated by this process.
Reporting
Your organization has no obligation to respond or provide information back to the FBI in response to this
joint advisory. If, after reviewing the information provided, your organization decides to provide information
to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include logs showing communication to and
from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet
information, and/or decryptor files.
Additional details of interest include a targeted company point of contact, status and scope of infection,
estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and
network-based indicators.
The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files
will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations,
encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you
to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field
Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov)
or by calling 1-844-Say-CISA (1-844-729-2472).
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and
MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities,
products, or services linked within this document. Any reference to specific commercial entities, products,
processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or
imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.
Version History
February 19, 2025: Initial version.
Date:2/20/2025 8:51:19 PM
From:"Ruben Soto"
To:
"
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Thu, Feb 20, 2025, 6:06 PM
Subject: Re: 15 year old raped,drug dealer Mr. SPITZER
Legislative Information header image
home image: click to go to the home page
Bill Search image: click to go to the bill search page
back button image: click to go to previous page
Code Section
Code:
PEN
Section:
261.5.
Keyword(s):
Up^<< Previous Next >>cross-reference chaptered billsPDF | Add To My Favorites
Search Phrase:
Code Text
Penal Code - PEN
PART 1. OF CRIMES AND PUNISHMENTS [25 - 680.4] ( Part 1 enacted 1872. )
TITLE 9. OF CRIMES AGAINST THE PERSON INVOLVING SEXUAL ASSAULT, AND CRIMES AGAINST PUBLIC DECENCY
AND GOOD MORALS [261 - 368.7] ( Heading of Title 9 amended by Stats. 1982, Ch. 1111, Sec. 2. )
CHAPTER 1. Rape, Abduction, Carnal Abuse of Children, and Seduction [261 - 269] ( Chapter 1 enacted 1872. )
261.5.
(a) Unlawful sexual intercourse is an act of sexual intercourse accomplished with a person who is not the spouse of the perpetrator, if the person is
a minor. For the purposes of this section, a “minor” is a person under 18 years of age and an “adult” is a person who is 18 years of age or older.
(b) A person who engages in an act of unlawful sexual intercourse with a minor who is not more than three years older or three years younger than
the perpetrator, is guilty of a misdemeanor.
(c) A person who engages in an act of unlawful sexual intercourse with a minor who is more than three years younger than the perpetrator is guilty
of either a misdemeanor or a felony, and shall be punished by imprisonment in a county jail not exceeding one year, or by imprisonment pursuant to
subdivision (h) of Section 1170.
(d) A person 21 years of age or older who engages in an act of unlawful sexual intercourse with a minor who is under 16 years of age is guilty of
either a misdemeanor or a felony, and shall be punished by imprisonment in a county jail not exceeding one year, or by imprisonment pursuant to
subdivision (h) of Section 1170 for two, three, or four years.
(e) (1) Notwithstanding any other provision of this section, an adult who engages in an act of sexual intercourse with a minor in violation of this
section may be liable for civil penalties in the following amounts:
(A) An adult who engages in an act of unlawful sexual intercourse with a minor less than two years younger than the adult is liable for a civil penalty
not to exceed two thousand dollars ($2,000).
(B) An adult who engages in an act of unlawful sexual intercourse with a minor at least two years younger than the adult is liable for a civil penalty
not to exceed five thousand dollars ($5,000).
(C) An adult who engages in an act of unlawful sexual intercourse with a minor at least three years younger than the adult is liable for a civil penalty
not to exceed ten thousand dollars ($10,000).
(D) An adult over 21 years of age who engages in an act of unlawful sexual intercourse with a minor under 16 years of age is liable for a civil
penalty not to exceed twenty-five thousand dollars ($25,000).
(2) The district attorney may bring actions to recover civil penalties pursuant to this subdivision. From the amounts collected for each case, an
amount equal to the costs of pursuing the action shall be deposited with the treasurer of the county in which the judgment was entered, and the
remainder shall be deposited in the Underage Pregnancy Prevention Fund, which is hereby created in the State Treasury. Amounts deposited in the
Underage Pregnancy Prevention Fund may be used only for the purpose of preventing underage pregnancy upon appropriation by the Legislature.
(3) In addition to any punishment imposed under this section, the judge may assess a fine not to exceed seventy dollars ($70) against a person who
violates this section with the proceeds of this fine to be used in accordance with Section 1463.23. The court shall, however, take into consideration
the defendant’s ability to pay, and a defendant shall not be denied probation because of their inability to pay the fine permitted under this
subdivision.
(f) A person convicted of violating subdivision (d) who is granted probation shall not complete their community service at a school or location
where children congregate.
(Amended by Stats. 2023, Ch. 838, Sec. 1. (AB 1371) Effective January 1, 2024.)
On Thu, Feb 20, 2025, 6:05 PM Ruben Soto < wrote:
PEOPLE
Subscribe
Ad
Celebrity
Celebrity News
Celebrity Legal & Lawsuits
Demi Lovato Reveals She Was Raped at 15 and 'Violated' by Her Drug Dealer the Night She Overdosed
In her moving new YouTube documentary, the singer bravely opens up about healing from the trauma of past sexual abuse
Date:2/20/2025 9:15:13 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#not around the children" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/5cIHuUnUzHg?si=OLK0jzS5yBgsAfCc
Date:2/20/2025 9:18:15 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #Charge
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=QNQdmljSNBw&feature=shared
Date:2/20/2025 9:41:32 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#nomoney" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/roX8UljKOu0?si=7n26wJilpE6mg9mh
Date:2/20/2025 12:37:35 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #dont dis my ability
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/-L3vA3U614E?feature=shared
Date:2/20/2025 6:05:47 PM
From:"Ruben Soto"
To:
"
Attachment:8134348780276618743.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/20/2025 5:46:58 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] 15 year old raped,drug dealer Mr. SPITZER
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
PEOPLE
Subscribe
Ad
Celebrity
Celebrity News
Celebrity Legal & Lawsuits
Demi Lovato Reveals She Was Raped at 15 and 'Violated' by Her Drug Dealer the Night She Overdosed
In her moving new YouTube documentary, the singer bravely opens up about healing from the trauma of past sexual abuse
Date:2/20/2025 7:20:58 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] February 20, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/8_usfXLCKVY?feature=shared
Date:2/20/2025 8:17:40 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] hashtag wrecking Ball
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://www.facebook.com/100094259776148/videos/1539183936798140/?sfnsn=mo&mibext
Date:2/20/2025 8:19:03 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Hooking up to my apartment computer without my permission
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/20/2025 8:28:42 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: Drug Free zone a thousand foot
Attachment:IMG_20230724_151902.jpg;VOD_20230724_151818.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Thu, Feb 20, 2025, 8:22 PM
Subject: Drug Free zone a thousand foot
Date:2/20/2025 8:22:53 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Drug Free zone a thousand foot
Attachment:IMG_20230724_151902.jpg;VOD_20230724_151818.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/20/2025 8:35:49 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Two calls on November 21 ,trying sell my car
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Messages for Ruben. Uh, Ruben, this is Joe giving you a call with Uh, take a moment to return our call. This is in
regards to a letter that we received from the, uh, Garden Grove Police Department in regards to your vehicle that you have financed with us. Our
phone number here is
Date:2/20/2025 8:37:22 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL]
Attachment:3663696951253662655.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/20/2025 8:37:57 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] I'm like no other man
Attachment:3682255496193128199.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/20/2025 8:42:34 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: I'm like no other man
Attachment:3682255496193128199.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Thu, Feb 20, 2025, 8:37 PM
Subject: I'm like no other man
Date:2/20/2025 8:11:05 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "January 26, 2025" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/D9VIeCjfems?si=UsA7ruDuvFioqBDm
Date:2/20/2025 6:06:27 PM
From:"Ruben Soto"
To:"
Subject:[EXTERNAL] Re: 15 year old raped,drug dealer Mr. SPITZER
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Legislative Information header image
home image: click to go to the home page
Bill Search image: click to go to the bill search page
back button image: click to go to previous page
Code Section
Code:
PEN
Section:
261.5.
Keyword(s):
Up^<< Previous Next >>cross-reference chaptered billsPDF | Add To My Favorites
Search Phrase:
Code Text
Penal Code - PEN
PART 1. OF CRIMES AND PUNISHMENTS [25 - 680.4] ( Part 1 enacted 1872. )
TITLE 9. OF CRIMES AGAINST THE PERSON INVOLVING SEXUAL ASSAULT, AND CRIMES AGAINST PUBLIC DECENCY
AND GOOD MORALS [261 - 368.7] ( Heading of Title 9 amended by Stats. 1982, Ch. 1111, Sec. 2. )
CHAPTER 1. Rape, Abduction, Carnal Abuse of Children, and Seduction [261 - 269] ( Chapter 1 enacted 1872. )
261.5.
(a) Unlawful sexual intercourse is an act of sexual intercourse accomplished with a person who is not the spouse of the perpetrator, if the person is
a minor. For the purposes of this section, a “minor” is a person under 18 years of age and an “adult” is a person who is 18 years of age or older.
(b) A person who engages in an act of unlawful sexual intercourse with a minor who is not more than three years older or three years younger than
the perpetrator, is guilty of a misdemeanor.
(c) A person who engages in an act of unlawful sexual intercourse with a minor who is more than three years younger than the perpetrator is guilty
of either a misdemeanor or a felony, and shall be punished by imprisonment in a county jail not exceeding one year, or by imprisonment pursuant to
subdivision (h) of Section 1170.
(d) A person 21 years of age or older who engages in an act of unlawful sexual intercourse with a minor who is under 16 years of age is guilty of
either a misdemeanor or a felony, and shall be punished by imprisonment in a county jail not exceeding one year, or by imprisonment pursuant to
subdivision (h) of Section 1170 for two, three, or four years.
(e) (1) Notwithstanding any other provision of this section, an adult who engages in an act of sexual intercourse with a minor in violation of this
section may be liable for civil penalties in the following amounts:
(A) An adult who engages in an act of unlawful sexual intercourse with a minor less than two years younger than the adult is liable for a civil penalty
not to exceed two thousand dollars ($2,000).
(B) An adult who engages in an act of unlawful sexual intercourse with a minor at least two years younger than the adult is liable for a civil penalty
not to exceed five thousand dollars ($5,000).
(C) An adult who engages in an act of unlawful sexual intercourse with a minor at least three years younger than the adult is liable for a civil penalty
not to exceed ten thousand dollars ($10,000).
(D) An adult over 21 years of age who engages in an act of unlawful sexual intercourse with a minor under 16 years of age is liable for a civil
penalty not to exceed twenty-five thousand dollars ($25,000).
(2) The district attorney may bring actions to recover civil penalties pursuant to this subdivision. From the amounts collected for each case, an
amount equal to the costs of pursuing the action shall be deposited with the treasurer of the county in which the judgment was entered, and the
remainder shall be deposited in the Underage Pregnancy Prevention Fund, which is hereby created in the State Treasury. Amounts deposited in the
Underage Pregnancy Prevention Fund may be used only for the purpose of preventing underage pregnancy upon appropriation by the Legislature.
(3) In addition to any punishment imposed under this section, the judge may assess a fine not to exceed seventy dollars ($70) against a person who
violates this section with the proceeds of this fine to be used in accordance with Section 1463.23. The court shall, however, take into consideration
the defendant’s ability to pay, and a defendant shall not be denied probation because of their inability to pay the fine permitted under this
subdivision.
(f) A person convicted of violating subdivision (d) who is granted probation shall not complete their community service at a school or location
where children congregate.
(Amended by Stats. 2023, Ch. 838, Sec. 1. (AB 1371) Effective January 1, 2024.)
On Thu, Feb 20, 2025, 6:05 PM Ruben Soto < wrote:
PEOPLE
Subscribe
Ad
Celebrity
Celebrity News
Celebrity Legal & Lawsuits
Demi Lovato Reveals She Was Raped at 15 and 'Violated' by Her Drug Dealer the Night She Overdosed
In her moving new YouTube documentary, the singer bravely opens up about healing from the trauma of past sexual abuse
Date:2/21/2025 7:13:47 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] February 21, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=02x4hpMUsT0&feature=shared
Date:2/21/2025 7:47:17 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] February 21, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=egQo1rhRn9I&feature=shared
Date:2/21/2025 8:00:14 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] February 21, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/LxaO-qTIBYg?feature=shared
Date:2/21/2025 9:26:13 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] February 21, 2025
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=RbJtF7qNnUQ&feature=shared
Date:2/21/2025 11:00:05 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #happyaniversary Lol
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=iJnzpSzVWDM&feature=shared
Date:2/21/2025 12:39:13 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #childsupport
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=3JZQBC70Jks&feature=shared
Date:2/21/2025 6:26:06 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: We Have Received Your Message
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: The White House <noreply@contact.whitehouse.gov>
Date: Fri, Feb 21, 2025, 12:20 PM
Subject: We Have Received Your Message
To: <
We have received your email. Thank you for sharing your thoughts with President Donald
J. Trump.
The willingness of the American people to stay informed is essential to our enduring
democracy. Please know that President Trump will never stop fighting for the citizens of
our great Nation!
For additional information about President Trump’s policy initiatives or current events at
the White House, please visit www.WhiteHouse.gov.
You may follow President Trump and the White House on Facebook , Instagram, X, and YouTube.
White Hous e Webs ite | Privacy Policy | Contact the White Hous e
Date:2/21/2025 5:56:26 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#court corruption" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/m8-5E0PIkNc?si=cXGnzNxWXNjmpMkU
Date:2/21/2025 7:40:55 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: Watch "#court corruption" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Fri, Feb 21, 2025, 6:52 PM
Subject: Watch "#court corruption" on YouTube
https://youtube.com/shorts/m8-5E0PIkNc?si=cXGnzNxWXNjmpMkU
Date:2/22/2025 12:21:16 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Willow tree Lodge room 215 being poisoned
Attachment:8922091838757505556.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/21/2025 11:47:40 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#hispanics hate me" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/aUnXsf815-Y?si=NtygRm_Yaqm6Kgs-
Date:2/22/2025 12:02:20 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#poisioning room215" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/4nmvQiTyPP0?si=81bfNCt-8W3nCIBc
Date:2/22/2025 8:53:34 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] What a fool believes
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/odGDcNNEbxE?si=IXQpZGzOyECd3wV-
Date:2/22/2025 9:09:44 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] What a fool believes hashtag
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/rNXthW_Nqug?si=Db0DJ25v-ARu3XRy
Date:2/22/2025 9:19:52 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] # what's Love got to do with It
Attachment:7653836126237838796.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/22/2025 9:29:29 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#happily forever after" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/6DDC3E1AOnw?si=cbHi1VMU2TIh-iEt
Date:2/22/2025 9:56:26 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #never worry about girlfriends or wives
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/uM2ngPWlwMQ?si=qgrxnaY6VqNFLxqZ
Date:2/22/2025 10:14:57 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #corrupt family laws
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/FU5YfBKuPv4?si=olH62d94wGk3OgFl
Date:2/22/2025 10:27:30 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #attempted murder
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/zlN_ajzKbSQ?si=2tjaoW_gtkDLtfBN
Date:2/22/2025 10:49:27 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#overdose attempted murder" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/lLlNr0p0Pv0?si=mCXNKllnU0NnB0ZX
Date:2/22/2025 12:00:15 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Pastors preachers churches 1 Timothy 5-8
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=lFNIP9mkJ-Q&feature=shared
Date:2/23/2025 7:52:38 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#troublemakers" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/S8wsp9PGlDA?si=hfeazLSFzu2axpvr
Date:2/23/2025 8:00:30 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "# tell the truth nothing but the truth" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/6F4Y7dkPyZY?si=EOE3nrWSL9H8Dcja
Date:2/23/2025 8:22:20 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#childabuse" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/94L9UnMHHpk?si=ug9zhBhRsRY1vEq2
Date:2/23/2025 4:03:14 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #how do you like it
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/wH9CFc9kz4E?feature=shared
Date:2/23/2025 10:21:53 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#judge me u be judge" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/2DwQfTXGeUI?si=PRvQRo_hw0i2NEu3
Date:2/23/2025 4:26:32 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#littleboy" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/7ja7vswJObY?si=xV0GwsLusjL9kML_
Date:2/23/2025 9:27:57 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Diana Rodriguez threat to kill me
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://photos.app.goo.gl/W7vEQBd88SuU9ZK96
Date:2/23/2025 6:09:45 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#Christians hate Catholics" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/Ug2e7CAQwUs?si=Ngzs4uuN94wBKeoY
Date:2/24/2025 9:22:14 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Sick perverted Christian men all men
Attachment:-8826308548401334285.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/24/2025 9:48:29 AM
From:"Ruben Soto"
To:"
Subject:[EXTERNAL] Dear Evan Hansen (film) - Yahoo Search Results
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachments unless you recognize the sender and are expecting the message.
https://search.yahoo.com/yhs/mobile/search;_ylt=Awr4_jg9sLxnuOYLRQNEDN04;_ylu=Y29sbwNncTEEcG9zAzEEdnRpZAMEc2VjA3Nj?p=Dear+Evan+Hansen+%28film%29&type=type9023884-atm-
dGFnSjA1MTMwOC1jYWxlbmRhcg-
033219ac9d42dea2ebd56b57b1bf21a0¶m1=dGFnSjA1MTMwOC1jYWxlbmRhcixDYWxlbmRhciwsVVMsY2EsYW5haGVpbSxtb2JpbGU¶m2=eyJzZWFyY2hfc3JjIjoic2VhcmNoX2hvbWVwYWdlIiwic2VhcmNoX20iOiJhdWRpbyIsIm9zX3ZlciI6IjE0IiwibGF1bmNoZXJfbW9kZSI6ImFsd2F5cyIsImFwcE5hbWUiOiIxLjE0LjMiLCJwcm9kdWN0X25hbWUiOiJDYWxlbmRhciBMYXVuY2hlciIsImFmMSI6Ikdvb2dsZSBBZHMgQUNJIiwiYWY0IjoiQ2FsZW5kYXIgLSBVQUMgLSBVc2VyIEZvYyAoMTYwNzg4ODkxNTQzKSIsImFmMyI6IkNhbGVuZGFyIC0gVVMgLSBVQUMgLSBGaXJzdCBPcGVuICgyMTI3NTcyODc2MikiLCJhcHBfaW5zdGFsbF92ZXJuIjoiMS4xMi4yIiwiYWY1IjoiU2VhcmNoIEdvb2dsZVNlYXJjaCIsIm9uYm9hcmRpbmdfdmFyaWFudCI6MCwicGhvbmVfbG9jYWxlIjoiZW5fVVMiLCJkb21haW4iOiJkYWlseWNhbGVuZGFyLmFwcCIsImFwcF92ZXIiOjM5LCJhcHBpZCI6IjE1MTMxIiwibW9kZWwiOiJTTS1BMTQ2VSIsIkFCRXhwMSI6InRlc3RfYmFzZSIsImJyYW5kIjoic2Ftc3VuZyIsImV2ZW50c3JjIjoiSG9tZXNjcmVlbl9TZWFyY2hiYXIiLCJEaXN0cmlidXRpb25fRGF0ZSI6IjIwMjQtMTItMjIifQ&hsimp=yhsm-
014&hspart=at&ei=UTF-8&d=%7B%22dn%22%3A%22yk%22%2C%22ykid%22%3A%22dc681007-e3f5-4cdb-8a81-6e7a1ccc149a%22%7D&fr2=p%3As%2Cv%3Aw%2Cm%3Adisambiguation&fr=yhsm-at-014
Date:2/25/2025 6:30:03 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Gossiping good or bad
Attachment:2521168173603006214.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/25/2025 6:39:20 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Audio and video taping me
Attachment:5863752477972940263.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/25/2025 6:47:19 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Privacy act lawsuits
Attachment:8532253961436014534.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/25/2025 7:04:45 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] 8000
Attachment:397093864006409813.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/25/2025 7:19:07 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Religion wrong forgive never jail forever
Attachment:-7742272692051660128.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/25/2025 7:37:57 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #brainwash do the right thing use the law of the land
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=sWLV-GXomaQ&feature=shared
Date:2/25/2025 8:29:49 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #accountable
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/mgQI8YYjPxo?feature=shared
Date:2/25/2025 5:04:26 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #childabuse
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/94L9UnMHHpk?si=M4NQ5OLfgjEWKdd-
Date:2/25/2025 5:16:05 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #badsexualconduct
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/fpnYd-u_Wvs?si=2R_6sLdORnvE-a9f
Date:2/25/2025 7:32:29 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #family did you in
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=TIhaBT3wwuM&feature=shared
Date:2/26/2025 7:29:13 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#funny" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/bUMZbSOyyto?si=Gw5rk3uEHhHXY1Kz
Date:2/26/2025 8:57:27 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#phonyrestraingorders" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/PMWXk7ionxA?si=q_FVYxDUHPqva3JT
Date:2/26/2025 6:02:56 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Watch "#youletGO" on YouTube
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtu.be/_i7NLohdASI?si=fxm9b7155CrJqilL
Date:2/26/2025 6:34:04 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #History
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/IW73eR79xSk?feature=shared
Date:2/26/2025 7:07:47 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #religion did me wrong with the government
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/IT_RBmVoL1k?feature=shared
Date:2/27/2025 5:25:59 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #I follow no man or human being
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/shorts/FlHgY-R--RM?feature=shared
Date:2/27/2025 9:35:37 AM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Diana Rodriguez threatened keep it up to kill me
Attachment:-7033198128958566969.mp4;
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
Date:2/27/2025 12:19:35 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #sickmusleboundfreaks
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=DXgEsUBeiLI&feature=shared
Date:2/27/2025 7:23:53 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] Fwd: #sickmusleboundfreaks
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
---------- Forwarded message ---------
From: Ruben Soto <
Date: Thu, Feb 27, 2025, 12:52 PM
Subject: #sickmusleboundfreaks
https://youtube.com/watch?v=DXgEsUBeiLI&feature=shared
Date:2/27/2025 12:53:18 PM
From:"Ruben Soto"
To:
"
Subject:[EXTERNAL] #screwchristianbrothers
Warning: This email originated from outside the City of Anaheim. Do not click links or open attachme nts unle ss you recognize the
sender and are expecting the message.
https://youtube.com/watch?v=xn3d28Yyzc0&feature=shared