Android backdoor spies on Russian business employees
A sophisticated Android backdoor named Android.Backdoor.916.origin is targeting Russian business representatives. The malware, disguised as an antivirus app called 'GuardCB', has extensive surveillance capabilities including intercepting calls, streaming camera footage, stealing data from messaging apps and browsers, and keylogging. Distributed via messenger apps, it requests numerous system permissions and connects to C2 servers for commands. The backdoor can transmit SMS messages, contact lists, call logs, location data, and captured audio/video streams. It uses Accessibility Service to log keystrokes and intercept content from specific apps like Telegram and Chrome. The malware is believed to be used for targeted attacks rather than mass distribution.
AI Analysis
Technical Summary
The Android.Backdoor.916.origin is a sophisticated spyware backdoor targeting Russian business employees through Android devices. Disguised as a legitimate antivirus application named 'GuardCB', this malware employs extensive surveillance capabilities to compromise victim devices. It is distributed primarily via messenger applications, leveraging social engineering to convince targets to install the malicious app. Once installed, it requests numerous system permissions that enable it to perform a wide range of malicious activities. These include intercepting phone calls, streaming live camera footage, stealing sensitive data from messaging apps such as Telegram and browsers like Chrome, and logging keystrokes using the Android Accessibility Service. The malware also collects and transmits SMS messages, contact lists, call logs, location data, and audio/video recordings back to its command and control (C2) servers, allowing remote operators to monitor and exfiltrate sensitive information in real time. The use of Accessibility Service is particularly notable as it allows the malware to bypass certain Android security restrictions and capture input from targeted applications. The backdoor is designed for targeted espionage rather than mass distribution, indicating a focus on high-value individuals within Russian business sectors. There is no evidence of known exploits in the wild beyond the described infection vector, and no specific affected Android versions have been identified. The malware's command and control infrastructure facilitates continuous remote control and data exfiltration, making it a persistent threat to affected users.
Potential Impact
For European organizations, particularly those with business ties or operations involving Russian entities or employees, this backdoor represents a significant espionage risk. The malware's ability to capture sensitive communications, credentials, and location data can lead to severe confidentiality breaches, intellectual property theft, and operational disruption. Organizations with employees traveling to or collaborating with Russian business partners may inadvertently become targets, risking exposure of proprietary information or strategic plans. The spyware's stealthy nature and use of legitimate Android features complicate detection and response, potentially allowing prolonged unauthorized access. Additionally, the malware's capability to intercept communications from widely used apps like Telegram and Chrome poses a threat to the integrity and privacy of corporate communications. While the primary focus is on Russian business representatives, the malware could be repurposed or spread to European targets through similar social engineering tactics, especially in multinational corporations with cross-border communications. The impact on availability is limited, but the compromise of confidentiality and integrity is substantial, potentially undermining trust and causing reputational damage.
Mitigation Recommendations
European organizations should implement targeted mobile security strategies beyond generic advice. First, enforce strict policies on app installation, especially discouraging installation of apps from unverified sources or unsolicited links received via messenger apps. Deploy mobile threat defense (MTD) solutions capable of detecting suspicious behaviors such as unauthorized use of Accessibility Services and unusual permission requests. Conduct regular security awareness training focused on social engineering risks related to messenger apps and fake antivirus apps. Implement endpoint detection and response (EDR) tools that extend to mobile devices to monitor for anomalous network connections to known or suspicious C2 servers. Organizations should also consider restricting or monitoring the use of Accessibility Services on corporate devices, as misuse is a common vector for spyware. Network-level controls such as DNS filtering and blocking known malicious IP addresses associated with the malware's C2 infrastructure can reduce the risk of data exfiltration. For employees working with or in Russia, consider additional device hardening measures, including disabling unnecessary permissions and using containerization or sandboxing to isolate sensitive apps. Incident response plans should include procedures for rapid identification and remediation of mobile spyware infections.
Affected Countries
Russia, Germany, United Kingdom, France, Netherlands, Poland, Italy
Indicators of Compromise
- domain: refs.search
- hash: 014120441aa6cd24ad2914e06ae4f5fa
- hash: 01c1f9a597468532db6e05e322a0abc3
- hash: 04395be7adfa6402645063aa54e97e58
- hash: 32d65e7f78def3004a46a17f838fac43
- hash: 3c4ad3e5cbe335afa9e112d14cb0694e
- hash: 4360b3705243ef501094ed160a09f42f
- hash: 5d55de8f9599c75e21db29d80126bad7
- hash: 657498bae0f1eced3e7e83d05945ad56
- hash: 6d4fe681db84c9161b1d6b3564831626
- hash: 72bc7a1723eb96137a26b80da9bf2169
- hash: 73680a7a538ddab38a2f8092e25276e1
- hash: 9d0a4b72bf9516cd327c61979f9a637d
- hash: b5bf762583a96279183c41b84dc23c8c
- hash: c1e45c74cb71448518be21c04e88e9d1
- hash: df76db671a73961133bc17093dc9838d
- hash: fc4c9d1e7f150edcc0f2cfa4a0c151a5
- hash: 28e5c478144088a1ce31a831354f042435e52ea6
- hash: 28ff8d630e4acbd809c4a2672f8fdc349173d6ff
- hash: 31a2fd3c593b4a730430e0c0a689b4e28270f1b5
- hash: 35c775748501bf3f57cddee44e3dfed1d6a41b87
- hash: 38717aeeb365bcfe74760cb59ffcb4a92ab32604
- hash: 3c734b9c24087898cfbfb58b3a53c44592356389
- hash: 4000d55e218b54eea9090b01d4a96d1410c6c4b1
- hash: 5059c6dc5a657722e3c13f720cbf77e9b58ef515
- hash: 5f97d7aeb20d56df918b313520958eaa88ea6e52
- hash: 81fba3e7821cdb38d8bb6767fef00dc7fab63ca6
- hash: 8b4b205d7efef0f5f887f627c89629082927e4a9
- hash: 94d25cebb6ba408c7c45bd12fd8aca5293d5df21
- hash: ced461fd540c6e558a75afaf1c0aeef25e001fc5
- hash: d43f35feec33b473bbb78f2a467021f3484531eb
- hash: d8554d2fdbae21927f1f10f199b73dbc6b351ad3
- hash: e018304ee662319225bc32755eee149d8d7d9f2e
- hash: e30e1e8218dc39be09df45192080357155eb5a29
- hash: eea0dbbced23ffe5d5086e520abf61d12395596a
- hash: f88410271b51ba751242e31384d50abf2d6165a8
- hash: 0c4434117b1c9c13de67a68034c1295007d274aa6c151c2adff7b29c6092c9b9
- hash: 1ab61aa607e28ed3a1574fd08749d58472ecf729373e65ab5dafe44c0b45631b
- hash: 26a5b7932aeca53e812f531c587408eb214a6fb1767b71454768581c31190880
- hash: 3ff2043b48ee487dd297c0b9d4cf6f5156eb3195e2ffe84d8c4cf2dcb8582752
- hash: 49bf6b84fc9e91d68f44f7087b922418bb2352eaf88457e1f192cae3fdcea435
- hash: 6bb7d7c97c5b492ff31a3a2288fa49aa7a4a668857c10bfcdd4234bbb892cf16
- hash: 7de1540a5c51f755652100ff996829fada474d234e4e7602eeca22473578634a
- hash: 8586756c3be19a1568752cfca3c878d8cf9dd50e013e2e02a3d3fea3fa4a38cb
- hash: 8d2fba04267db75928cabc34769e6afe2c0bc35eaa9a6f51b3988ff54016a1e1
- hash: 9d24d66d0c0a9da404d4df31d8e4f70e6af35647325db4f32e63abb4eb859727
- hash: a65d7e5388aba8b7b633a3007f2627a6e4e23831dc2af704c70ed2d163442a18
- hash: aaf1409baa2a87d42a24bfea8b26a0eb8ca9b2e961f96c5e4179fd2d568f1b8b
- hash: b9aab16bfc566f0730115940149625d92045d9a818a338614e3cb44bda323c38
- hash: df90c807d452cd8ce9466421a93eea2f7889c591f38f37ab5f44b5300b5ee3da
- hash: eacf247bbce4f123f97713f43e7432cef5eb3a4c9cef720f2a38614609b146c3
- hash: ed89269bee14036884b08ae96bd88eb550b3e92bfa698d9bef4468460f5ca3ca
- ip: 103.71.22.100
- ip: 103.71.22.206
- ip: 103.71.22.52
- ip: 103.71.22.68
- ip: 136.243.209.194
- ip: 136.243.209.196
- ip: 138.124.15.61
- ip: 138.124.182.198
- ip: 138.124.31.177
- ip: 138.124.31.191
- ip: 144.76.48.43
- ip: 144.76.48.45
- ip: 148.251.240.92
- ip: 157.90.14.184
- ip: 157.90.14.191
- ip: 176.124.192.155
- ip: 185.255.178.199
- ip: 188.40.171.100
- ip: 192.145.28.144
- ip: 192.145.28.179
- ip: 192.145.28.67
- ip: 193.124.33.196
- ip: 193.124.33.230
- ip: 193.32.179.113
- ip: 194.147.35.129
- ip: 194.147.35.45
- ip: 194.147.35.86
- ip: 194.190.152.200
- ip: 194.190.152.39
- ip: 194.226.121.112
- ip: 194.226.121.169
- ip: 194.226.121.245
- ip: 194.226.121.95
- ip: 194.33.35.94
- ip: 194.87.252.163
- ip: 194.87.252.51
- ip: 194.87.252.7
- ip: 194.87.35.52
- ip: 194.87.62.162
- ip: 195.58.50.187
- ip: 2.59.183.215
- ip: 212.193.31.126
- ip: 212.87.223.192
- ip: 212.87.223.248
- ip: 213.218.212.19
- ip: 213.218.212.200
- ip: 213.218.212.23
- ip: 213.218.212.25
- ip: 213.218.212.55
- ip: 31.172.75.46
- ip: 31.192.237.132
- ip: 37.221.126.216
- ip: 45.12.109.104
- ip: 45.12.129.171
- ip: 45.12.136.170
- ip: 45.129.242.236
- ip: 45.129.242.58
- ip: 45.134.12.13
- ip: 45.140.147.41
- ip: 45.140.167.112
- ip: 45.140.167.148
- ip: 45.159.248.236
- ip: 45.159.248.6
- ip: 45.67.230.151
- ip: 45.67.231.139
- ip: 45.67.231.215
- ip: 45.82.253.185
- ip: 45.85.93.206
- ip: 5.39.249.107
- ip: 5.9.133.189
- ip: 62.192.174.132
- ip: 62.192.174.142
- ip: 62.192.174.151
- ip: 62.192.174.219
- ip: 62.192.174.87
- ip: 77.110.104.235
- ip: 77.239.124.215
- ip: 77.239.124.232
- ip: 77.239.124.95
- ip: 77.91.101.27
- ip: 79.137.192.33
- ip: 80.85.154.113
- ip: 80.85.154.134
- ip: 80.85.154.222
- ip: 80.85.154.246
- ip: 80.85.154.249
- ip: 80.85.154.250
- ip: 80.85.154.70
- ip: 80.85.154.90
- ip: 80.85.155.132
- ip: 80.85.155.141
- ip: 80.85.155.179
- ip: 80.85.155.182
- ip: 80.85.155.185
- ip: 80.85.155.32
- ip: 80.85.155.41
- ip: 80.85.156.13
- ip: 80.85.157.114
- ip: 83.147.255.202
- ip: 83.147.255.228
- ip: 83.147.255.86
- ip: 83.217.210.129
- ip: 83.217.210.163
- ip: 83.217.210.91
- ip: 84.21.172.65
- ip: 85.192.56.19
- ip: 85.192.56.90
- ip: 85.209.153.229
- ip: 88.218.93.20
- ip: 89.169.15.54
- ip: 89.42.142.29
- ip: 91.207.183.142
- ip: 94.130.255.132
- ip: 94.130.255.149
- ip: 94.131.118.221
- ip: 94.131.122.189
- ip: 95.164.38.35
- ip: 95.164.86.41
- ip: 95.216.239.65
- ip: 95.217.146.248
- domain: 24biliberdiki.ru
- domain: 24lasofyu.ru
- domain: advasd.ru
- domain: alegriki.ru
- domain: asasdffgasd.online
- domain: biliberdiki.ru
- domain: bountyhunter.pro
- domain: cadabrabro.ru
- domain: dertels.ru
- domain: dpblast.fun
- domain: dpbots.online
- domain: dpbxtroj.xyz
- domain: example2.cyou
- domain: geneva-it-otdel.com
- domain: gevena-best.com
- domain: gevena-bh.com
- domain: hugamuga.monster
- domain: kaban1488.ru
- domain: kabanosiki.ru
- domain: kingwqeq.ru
- domain: lunadev1.rehab
- domain: lunadev2.legal
- domain: lunadev3.photography
- domain: nasdaad.ru
- domain: nikolas.cfd
- domain: nikolas.icu
- domain: nikolas.lol
- domain: nikolas.monster
- domain: nikolas.pics
- domain: nikolas.quest
- domain: nikolas.sbs
- domain: nluxor.pro
- domain: opticun.ru
- domain: optipan.ru
- domain: pancum.ru
- domain: panopti.ru
- domain: pikabueim.cfd
- domain: pikiviki777.cyou
- domain: pikiviki777.sbs
- domain: pilitavki.ru
- domain: repkasv.ru
- domain: retrojins.ru
- domain: silakabana.cfd
- domain: speroid6six.ru
- domain: speroidsix6.ru
- domain: spydroid.dad
- domain: tuzvladki.cfd
- domain: twofish.pro
- domain: vetervgolov.icu
- domain: zifirwera.ru
- domain: ru.next.secure
Android backdoor spies on Russian business employees
Description
A sophisticated Android backdoor named Android.Backdoor.916.origin is targeting Russian business representatives. The malware, disguised as an antivirus app called 'GuardCB', has extensive surveillance capabilities including intercepting calls, streaming camera footage, stealing data from messaging apps and browsers, and keylogging. Distributed via messenger apps, it requests numerous system permissions and connects to C2 servers for commands. The backdoor can transmit SMS messages, contact lists, call logs, location data, and captured audio/video streams. It uses Accessibility Service to log keystrokes and intercept content from specific apps like Telegram and Chrome. The malware is believed to be used for targeted attacks rather than mass distribution.
AI-Powered Analysis
Technical Analysis
The Android.Backdoor.916.origin is a sophisticated spyware backdoor targeting Russian business employees through Android devices. Disguised as a legitimate antivirus application named 'GuardCB', this malware employs extensive surveillance capabilities to compromise victim devices. It is distributed primarily via messenger applications, leveraging social engineering to convince targets to install the malicious app. Once installed, it requests numerous system permissions that enable it to perform a wide range of malicious activities. These include intercepting phone calls, streaming live camera footage, stealing sensitive data from messaging apps such as Telegram and browsers like Chrome, and logging keystrokes using the Android Accessibility Service. The malware also collects and transmits SMS messages, contact lists, call logs, location data, and audio/video recordings back to its command and control (C2) servers, allowing remote operators to monitor and exfiltrate sensitive information in real time. The use of Accessibility Service is particularly notable as it allows the malware to bypass certain Android security restrictions and capture input from targeted applications. The backdoor is designed for targeted espionage rather than mass distribution, indicating a focus on high-value individuals within Russian business sectors. There is no evidence of known exploits in the wild beyond the described infection vector, and no specific affected Android versions have been identified. The malware's command and control infrastructure facilitates continuous remote control and data exfiltration, making it a persistent threat to affected users.
Potential Impact
For European organizations, particularly those with business ties or operations involving Russian entities or employees, this backdoor represents a significant espionage risk. The malware's ability to capture sensitive communications, credentials, and location data can lead to severe confidentiality breaches, intellectual property theft, and operational disruption. Organizations with employees traveling to or collaborating with Russian business partners may inadvertently become targets, risking exposure of proprietary information or strategic plans. The spyware's stealthy nature and use of legitimate Android features complicate detection and response, potentially allowing prolonged unauthorized access. Additionally, the malware's capability to intercept communications from widely used apps like Telegram and Chrome poses a threat to the integrity and privacy of corporate communications. While the primary focus is on Russian business representatives, the malware could be repurposed or spread to European targets through similar social engineering tactics, especially in multinational corporations with cross-border communications. The impact on availability is limited, but the compromise of confidentiality and integrity is substantial, potentially undermining trust and causing reputational damage.
Mitigation Recommendations
European organizations should implement targeted mobile security strategies beyond generic advice. First, enforce strict policies on app installation, especially discouraging installation of apps from unverified sources or unsolicited links received via messenger apps. Deploy mobile threat defense (MTD) solutions capable of detecting suspicious behaviors such as unauthorized use of Accessibility Services and unusual permission requests. Conduct regular security awareness training focused on social engineering risks related to messenger apps and fake antivirus apps. Implement endpoint detection and response (EDR) tools that extend to mobile devices to monitor for anomalous network connections to known or suspicious C2 servers. Organizations should also consider restricting or monitoring the use of Accessibility Services on corporate devices, as misuse is a common vector for spyware. Network-level controls such as DNS filtering and blocking known malicious IP addresses associated with the malware's C2 infrastructure can reduce the risk of data exfiltration. For employees working with or in Russia, consider additional device hardening measures, including disabling unnecessary permissions and using containerization or sandboxing to isolate sensitive apps. Incident response plans should include procedures for rapid identification and remediation of mobile spyware infections.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["http://news.drweb.ru/show/?i=15047&lng=ru","https://raw.githubusercontent.com/DoctorWebLtd/malware-iocs/refs/heads/master/Android.Backdoor.916.origin/README.adoc"]
- Adversary
- null
- Pulse Id
- 68ac4107332fb8f01c93e2ac
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainrefs.search | — | |
domain24biliberdiki.ru | — | |
domain24lasofyu.ru | — | |
domainadvasd.ru | — | |
domainalegriki.ru | — | |
domainasasdffgasd.online | — | |
domainbiliberdiki.ru | — | |
domainbountyhunter.pro | — | |
domaincadabrabro.ru | — | |
domaindertels.ru | — | |
domaindpblast.fun | — | |
domaindpbots.online | — | |
domaindpbxtroj.xyz | — | |
domainexample2.cyou | — | |
domaingeneva-it-otdel.com | — | |
domaingevena-best.com | — | |
domaingevena-bh.com | — | |
domainhugamuga.monster | — | |
domainkaban1488.ru | — | |
domainkabanosiki.ru | — | |
domainkingwqeq.ru | — | |
domainlunadev1.rehab | — | |
domainlunadev2.legal | — | |
domainlunadev3.photography | — | |
domainnasdaad.ru | — | |
domainnikolas.cfd | — | |
domainnikolas.icu | — | |
domainnikolas.lol | — | |
domainnikolas.monster | — | |
domainnikolas.pics | — | |
domainnikolas.quest | — | |
domainnikolas.sbs | — | |
domainnluxor.pro | — | |
domainopticun.ru | — | |
domainoptipan.ru | — | |
domainpancum.ru | — | |
domainpanopti.ru | — | |
domainpikabueim.cfd | — | |
domainpikiviki777.cyou | — | |
domainpikiviki777.sbs | — | |
domainpilitavki.ru | — | |
domainrepkasv.ru | — | |
domainretrojins.ru | — | |
domainsilakabana.cfd | — | |
domainsperoid6six.ru | — | |
domainsperoidsix6.ru | — | |
domainspydroid.dad | — | |
domaintuzvladki.cfd | — | |
domaintwofish.pro | — | |
domainvetervgolov.icu | — | |
domainzifirwera.ru | — | |
domainru.next.secure | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash014120441aa6cd24ad2914e06ae4f5fa | — | |
hash01c1f9a597468532db6e05e322a0abc3 | — | |
hash04395be7adfa6402645063aa54e97e58 | — | |
hash32d65e7f78def3004a46a17f838fac43 | — | |
hash3c4ad3e5cbe335afa9e112d14cb0694e | — | |
hash4360b3705243ef501094ed160a09f42f | — | |
hash5d55de8f9599c75e21db29d80126bad7 | — | |
hash657498bae0f1eced3e7e83d05945ad56 | — | |
hash6d4fe681db84c9161b1d6b3564831626 | — | |
hash72bc7a1723eb96137a26b80da9bf2169 | — | |
hash73680a7a538ddab38a2f8092e25276e1 | — | |
hash9d0a4b72bf9516cd327c61979f9a637d | — | |
hashb5bf762583a96279183c41b84dc23c8c | — | |
hashc1e45c74cb71448518be21c04e88e9d1 | — | |
hashdf76db671a73961133bc17093dc9838d | — | |
hashfc4c9d1e7f150edcc0f2cfa4a0c151a5 | — | |
hash28e5c478144088a1ce31a831354f042435e52ea6 | — | |
hash28ff8d630e4acbd809c4a2672f8fdc349173d6ff | — | |
hash31a2fd3c593b4a730430e0c0a689b4e28270f1b5 | — | |
hash35c775748501bf3f57cddee44e3dfed1d6a41b87 | — | |
hash38717aeeb365bcfe74760cb59ffcb4a92ab32604 | — | |
hash3c734b9c24087898cfbfb58b3a53c44592356389 | — | |
hash4000d55e218b54eea9090b01d4a96d1410c6c4b1 | — | |
hash5059c6dc5a657722e3c13f720cbf77e9b58ef515 | — | |
hash5f97d7aeb20d56df918b313520958eaa88ea6e52 | — | |
hash81fba3e7821cdb38d8bb6767fef00dc7fab63ca6 | — | |
hash8b4b205d7efef0f5f887f627c89629082927e4a9 | — | |
hash94d25cebb6ba408c7c45bd12fd8aca5293d5df21 | — | |
hashced461fd540c6e558a75afaf1c0aeef25e001fc5 | — | |
hashd43f35feec33b473bbb78f2a467021f3484531eb | — | |
hashd8554d2fdbae21927f1f10f199b73dbc6b351ad3 | — | |
hashe018304ee662319225bc32755eee149d8d7d9f2e | — | |
hashe30e1e8218dc39be09df45192080357155eb5a29 | — | |
hasheea0dbbced23ffe5d5086e520abf61d12395596a | — | |
hashf88410271b51ba751242e31384d50abf2d6165a8 | — | |
hash0c4434117b1c9c13de67a68034c1295007d274aa6c151c2adff7b29c6092c9b9 | — | |
hash1ab61aa607e28ed3a1574fd08749d58472ecf729373e65ab5dafe44c0b45631b | — | |
hash26a5b7932aeca53e812f531c587408eb214a6fb1767b71454768581c31190880 | — | |
hash3ff2043b48ee487dd297c0b9d4cf6f5156eb3195e2ffe84d8c4cf2dcb8582752 | — | |
hash49bf6b84fc9e91d68f44f7087b922418bb2352eaf88457e1f192cae3fdcea435 | — | |
hash6bb7d7c97c5b492ff31a3a2288fa49aa7a4a668857c10bfcdd4234bbb892cf16 | — | |
hash7de1540a5c51f755652100ff996829fada474d234e4e7602eeca22473578634a | — | |
hash8586756c3be19a1568752cfca3c878d8cf9dd50e013e2e02a3d3fea3fa4a38cb | — | |
hash8d2fba04267db75928cabc34769e6afe2c0bc35eaa9a6f51b3988ff54016a1e1 | — | |
hash9d24d66d0c0a9da404d4df31d8e4f70e6af35647325db4f32e63abb4eb859727 | — | |
hasha65d7e5388aba8b7b633a3007f2627a6e4e23831dc2af704c70ed2d163442a18 | — | |
hashaaf1409baa2a87d42a24bfea8b26a0eb8ca9b2e961f96c5e4179fd2d568f1b8b | — | |
hashb9aab16bfc566f0730115940149625d92045d9a818a338614e3cb44bda323c38 | — | |
hashdf90c807d452cd8ce9466421a93eea2f7889c591f38f37ab5f44b5300b5ee3da | — | |
hasheacf247bbce4f123f97713f43e7432cef5eb3a4c9cef720f2a38614609b146c3 | — | |
hashed89269bee14036884b08ae96bd88eb550b3e92bfa698d9bef4468460f5ca3ca | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip103.71.22.100 | — | |
ip103.71.22.206 | — | |
ip103.71.22.52 | — | |
ip103.71.22.68 | — | |
ip136.243.209.194 | — | |
ip136.243.209.196 | — | |
ip138.124.15.61 | — | |
ip138.124.182.198 | — | |
ip138.124.31.177 | — | |
ip138.124.31.191 | — | |
ip144.76.48.43 | — | |
ip144.76.48.45 | — | |
ip148.251.240.92 | — | |
ip157.90.14.184 | — | |
ip157.90.14.191 | — | |
ip176.124.192.155 | — | |
ip185.255.178.199 | — | |
ip188.40.171.100 | — | |
ip192.145.28.144 | — | |
ip192.145.28.179 | — | |
ip192.145.28.67 | — | |
ip193.124.33.196 | — | |
ip193.124.33.230 | — | |
ip193.32.179.113 | — | |
ip194.147.35.129 | — | |
ip194.147.35.45 | — | |
ip194.147.35.86 | — | |
ip194.190.152.200 | — | |
ip194.190.152.39 | — | |
ip194.226.121.112 | — | |
ip194.226.121.169 | — | |
ip194.226.121.245 | — | |
ip194.226.121.95 | — | |
ip194.33.35.94 | — | |
ip194.87.252.163 | — | |
ip194.87.252.51 | — | |
ip194.87.252.7 | — | |
ip194.87.35.52 | — | |
ip194.87.62.162 | — | |
ip195.58.50.187 | — | |
ip2.59.183.215 | — | |
ip212.193.31.126 | — | |
ip212.87.223.192 | — | |
ip212.87.223.248 | — | |
ip213.218.212.19 | — | |
ip213.218.212.200 | — | |
ip213.218.212.23 | — | |
ip213.218.212.25 | — | |
ip213.218.212.55 | — | |
ip31.172.75.46 | — | |
ip31.192.237.132 | — | |
ip37.221.126.216 | — | |
ip45.12.109.104 | — | |
ip45.12.129.171 | — | |
ip45.12.136.170 | — | |
ip45.129.242.236 | — | |
ip45.129.242.58 | — | |
ip45.134.12.13 | — | |
ip45.140.147.41 | — | |
ip45.140.167.112 | — | |
ip45.140.167.148 | — | |
ip45.159.248.236 | — | |
ip45.159.248.6 | — | |
ip45.67.230.151 | — | |
ip45.67.231.139 | — | |
ip45.67.231.215 | — | |
ip45.82.253.185 | — | |
ip45.85.93.206 | — | |
ip5.39.249.107 | — | |
ip5.9.133.189 | — | |
ip62.192.174.132 | — | |
ip62.192.174.142 | — | |
ip62.192.174.151 | — | |
ip62.192.174.219 | — | |
ip62.192.174.87 | — | |
ip77.110.104.235 | — | |
ip77.239.124.215 | — | |
ip77.239.124.232 | — | |
ip77.239.124.95 | — | |
ip77.91.101.27 | — | |
ip79.137.192.33 | — | |
ip80.85.154.113 | — | |
ip80.85.154.134 | — | |
ip80.85.154.222 | — | |
ip80.85.154.246 | — | |
ip80.85.154.249 | — | |
ip80.85.154.250 | — | |
ip80.85.154.70 | — | |
ip80.85.154.90 | — | |
ip80.85.155.132 | — | |
ip80.85.155.141 | — | |
ip80.85.155.179 | — | |
ip80.85.155.182 | — | |
ip80.85.155.185 | — | |
ip80.85.155.32 | — | |
ip80.85.155.41 | — | |
ip80.85.156.13 | — | |
ip80.85.157.114 | — | |
ip83.147.255.202 | — | |
ip83.147.255.228 | — | |
ip83.147.255.86 | — | |
ip83.217.210.129 | — | |
ip83.217.210.163 | — | |
ip83.217.210.91 | — | |
ip84.21.172.65 | — | |
ip85.192.56.19 | — | |
ip85.192.56.90 | — | |
ip85.209.153.229 | — | |
ip88.218.93.20 | — | |
ip89.169.15.54 | — | |
ip89.42.142.29 | — | |
ip91.207.183.142 | — | |
ip94.130.255.132 | — | |
ip94.130.255.149 | — | |
ip94.131.118.221 | — | |
ip94.131.122.189 | — | |
ip95.164.38.35 | — | |
ip95.164.86.41 | — | |
ip95.216.239.65 | — | |
ip95.217.146.248 | — |
Threat ID: 68ac4652ad5a09ad004b19bd
Added to database: 8/25/2025, 11:17:38 AM
Last enriched: 8/25/2025, 11:32:51 AM
Last updated: 10/11/2025, 4:23:35 AM
Views: 55
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps
MediumStealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers
MediumThreatFox IOCs for 2025-10-10
MediumFrom infostealer to full RAT: dissecting the PureRAT attack chain
MediumThe ClickFix Factory: First Exposure of IUAM ClickFix Generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.