Dissecting UAT-8099: New persistence mechanisms and regional focus
UAT-8099 is a malware campaign active from August 2025 to early 2026 targeting vulnerable IIS servers primarily in Asia, with a focus on Thailand and Vietnam. The threat actor uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain remote access. New variants of the BadIIS malware have enhanced persistence features, region-specific customizations, and SEO fraud capabilities. A Linux ELF variant of BadIIS has also been identified, indicating cross-platform targeting. The campaign shares infrastructure and victimology with the WEBJACK campaign, suggesting a coordinated threat actor. Although primarily focused on Asia, the use of IIS servers and PowerShell scripts means European organizations running similar environments could be at risk. The campaign’s complexity and persistence mechanisms make it a medium-severity threat requiring targeted mitigation strategies.
AI Analysis
Technical Summary
The UAT-8099 campaign represents a sophisticated threat actor targeting vulnerable Microsoft IIS web servers, primarily in Southeast Asia, with a focus on Thailand and Vietnam. The attackers deploy web shells and PowerShell scripts to establish and maintain remote access, leveraging the GotoHTTP tool for command and control communications. The campaign features new variants of the BadIIS malware family, which include enhanced persistence mechanisms such as hardcoded regional targeting, exclusive file extensions for stealth, and the ability to load HTML templates to facilitate SEO fraud operations. These SEO fraud tactics aim to manipulate search engine rankings, potentially redirecting traffic to malicious sites or generating illicit revenue. Notably, a Linux ELF variant of BadIIS was discovered, indicating the threat actor’s capability to target both Windows and Linux environments, broadening the attack surface. The campaign shows significant operational overlaps with the WEBJACK campaign, sharing malware hashes, command and control infrastructure, and victim profiles, suggesting a shared or allied threat actor group. The campaign exploits known IIS vulnerabilities and uses advanced techniques such as code injection, persistence via scheduled tasks or services, and obfuscation to evade detection. Despite no known exploits in the wild being reported, the campaign’s use of multiple TTPs (Tactics, Techniques, and Procedures) such as T1059.007 (PowerShell), T1547 (Boot or Logon Autostart Execution), and T1190 (Exploit Public-Facing Application) highlights its sophistication and persistence. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability.
Potential Impact
For European organizations, the UAT-8099 campaign poses a significant risk especially to those running IIS web servers or mixed Windows/Linux environments. Successful exploitation can lead to unauthorized remote access, data exfiltration, and the establishment of persistent backdoors. The SEO fraud component could damage organizational reputation and lead to financial losses through fraudulent advertising or redirection schemes. The presence of region-specific variants and hardcoded targeting suggests that European entities with business ties or infrastructure linked to Southeast Asia could be indirectly affected. Additionally, the campaign’s ability to evade detection and maintain persistence increases the risk of prolonged compromise, potentially impacting confidentiality, integrity, and availability of critical web services. The cross-platform nature of the malware also means that organizations with heterogeneous environments are at elevated risk. Disruption of web services could affect customer trust and regulatory compliance, particularly under GDPR requirements for data protection and breach notification.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice. First, conduct thorough vulnerability assessments and patch all IIS servers promptly, focusing on known vulnerabilities exploited by web shells and remote code execution. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual persistence mechanisms such as scheduled tasks or service modifications. Monitor network traffic for anomalous connections to suspicious C2 infrastructure, including the use of tools like GotoHTTP. Implement strict web server hardening, including disabling unnecessary modules and restricting file upload capabilities to prevent web shell deployment. Employ file integrity monitoring to detect unauthorized changes, especially for files with unusual extensions or HTML templates used in SEO fraud. Use threat intelligence feeds to identify indicators of compromise related to UAT-8099 and WEBJACK campaigns. Segregate critical web infrastructure and apply least privilege principles to limit lateral movement. Finally, conduct user awareness training focused on phishing and social engineering tactics that may facilitate initial access.
Affected Countries
Thailand, Vietnam, Germany, United Kingdom, France, Netherlands, Poland
Indicators of Compromise
- hash: 11dfb32e4496db16ea7c06994e0fbe62
- hash: 64d27ccd15c24e711854f9211412fa06
- hash: 7546b74707742d2c0fea2cc7fb6afc70
- hash: 81943db193b85e58efca17f9c08a3bf6
- hash: 8eb1cce177695f51bbd6ece5485e520d
- hash: 8fcdc406e1c9424347fcaa110a824bc0
- hash: 9df68541a76494967fa45664fd097d55
- hash: cd3d556aaff404d37024ff9bbef78734
- hash: e656f8c61ffc614f0bcdf1249147fe63
- hash: e84553b63969eb8e31ad019eae4d9955
- hash: ec661bc77283bb3d96b37775499c03da
- hash: f4ea4e9b8017b5edd392b7416bd390af
- hash: ff0eb16768e7ecde4c7407f68a1f9b95
- hash: 01e94987f78f7d5abfdcac9d5dbbe1d6b5573226
- hash: 0ee438ff255787e841581e5c23d340dfee8265b9
- hash: 1a6654e3bc69b89e50d6ee3eab85b3c819d3a793
- hash: 1e11085eeb4e617c5215bfde8b928d23d321da7d
- hash: 1e420360f99d96920c443129c6801aa661f6073d
- hash: 3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876
- hash: 500db7699d66db1c92f3a4ea722596884382c7a7
- hash: b059c4725f1b62cc8534bdab4092fd840e833907
- hash: c10e52d383695b79137a4523ac4cf6a6acb1666e
- hash: c9128242176083fb07147d8e39c8c3c053479d15
- hash: db5f5c4358c295aa32f5a7d62869b21f9fe45e43
- hash: de325a01346d30fae09dddb5cd753c3f35ce69fa
- hash: e07db0d74a2e2942c6523444193f204d95aaf4f6
- hash: ec7d20926cc102b6685c07f894a6b0835e8e2cdd
- hash: fdff3d79a06cc022135a5a264978ef69e7cc29ad
- hash: 11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7
- hash: 187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1
- hash: 1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a
- hash: 1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a
- hash: 21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102
- hash: 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9
- hash: 265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357
- hash: 29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b
- hash: 2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3
- hash: 33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f
- hash: 383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c
- hash: 3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d
- hash: 416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be
- hash: 48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
- hash: 4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96
- hash: 5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d
- hash: 565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6
- hash: 56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76
- hash: 5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e
- hash: 6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72
- hash: 660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68
- hash: 672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d
- hash: 6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
- hash: 6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba
- hash: 70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79
- hash: 78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09
- hash: 7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a
- hash: 8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6
- hash: 91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1
- hash: 931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e
- hash: 9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29
- hash: 99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830
- hash: 9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
- hash: 9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5
- hash: a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31
- hash: a5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259
- hash: a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205
- hash: ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d
- hash: bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33
- hash: c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda
- hash: cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da
- hash: d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
- hash: e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c
- hash: e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c
- hash: ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc
- hash: f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
- url: http://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: http://go1.kmm5tn.ceye.io
- url: http://tdk.hunanduodao.com/jump/fql.js
- url: http://tdk.hunanduodao.com/jump/ov.js
- url: http://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s
- url: http://tdkfsdfa.cnmseo.com/jump/fql.js
- url: http://tdkfsdfa.cnmseo.com/jump/ll.js
- url: http://tz.jmfwy.com/jump/json.js
- url: http://tz.jmfwy.com/jump/mage.js
- url: http://tz.jmfwy.com/jump/tiger.js
- url: http://tz.ohtcm.com/jump/fql.js
- url: http://tz.ohtcm.com/jump/json.js
- url: http://tz.ohtcm.com/jump/ll.js
- url: http://tz.ohtcm.com/jump/ov.js
- url: http://tz.suucx.com/jump/ov.js
- url: https://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: https://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs
- url: https://799.cors5.vip/1018.php?domain=%s\u0026path=%s
- url: https://bxphp.westooo.com/58z.js
- url: https://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd
- url: https://bxphp.westooo.com/u.php
- url: https://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s
- url: https://th.gtwql.com/1018.php?domain=%s\u0026path=%s
- url: https://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s
- domain: 2fgithub.com
- domain: 404.imxzq.com
- domain: 404.jmfwy.com
- domain: 7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la
- domain: 799.cors5.vip
- domain: bxphp.westooo.com
- domain: fql.jmfwy.com
- domain: go1.kmm5tn.ceye.io
- domain: google.sneaws.com
- domain: tdk.hunanduodao.com
- domain: tdk.jmfwy.com
- domain: tdkfsdfa.cnmseo.com
- domain: th.gtwql.com
- domain: thov.hunanduodao.com
- domain: tz.jmfwy.com
- domain: tz.ohtcm.com
- domain: tz.suucx.com
- domain: w3c.sneaws.com
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description
UAT-8099 is a malware campaign active from August 2025 to early 2026 targeting vulnerable IIS servers primarily in Asia, with a focus on Thailand and Vietnam. The threat actor uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain remote access. New variants of the BadIIS malware have enhanced persistence features, region-specific customizations, and SEO fraud capabilities. A Linux ELF variant of BadIIS has also been identified, indicating cross-platform targeting. The campaign shares infrastructure and victimology with the WEBJACK campaign, suggesting a coordinated threat actor. Although primarily focused on Asia, the use of IIS servers and PowerShell scripts means European organizations running similar environments could be at risk. The campaign’s complexity and persistence mechanisms make it a medium-severity threat requiring targeted mitigation strategies.
AI-Powered Analysis
Technical Analysis
The UAT-8099 campaign represents a sophisticated threat actor targeting vulnerable Microsoft IIS web servers, primarily in Southeast Asia, with a focus on Thailand and Vietnam. The attackers deploy web shells and PowerShell scripts to establish and maintain remote access, leveraging the GotoHTTP tool for command and control communications. The campaign features new variants of the BadIIS malware family, which include enhanced persistence mechanisms such as hardcoded regional targeting, exclusive file extensions for stealth, and the ability to load HTML templates to facilitate SEO fraud operations. These SEO fraud tactics aim to manipulate search engine rankings, potentially redirecting traffic to malicious sites or generating illicit revenue. Notably, a Linux ELF variant of BadIIS was discovered, indicating the threat actor’s capability to target both Windows and Linux environments, broadening the attack surface. The campaign shows significant operational overlaps with the WEBJACK campaign, sharing malware hashes, command and control infrastructure, and victim profiles, suggesting a shared or allied threat actor group. The campaign exploits known IIS vulnerabilities and uses advanced techniques such as code injection, persistence via scheduled tasks or services, and obfuscation to evade detection. Despite no known exploits in the wild being reported, the campaign’s use of multiple TTPs (Tactics, Techniques, and Procedures) such as T1059.007 (PowerShell), T1547 (Boot or Logon Autostart Execution), and T1190 (Exploit Public-Facing Application) highlights its sophistication and persistence. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability.
Potential Impact
For European organizations, the UAT-8099 campaign poses a significant risk especially to those running IIS web servers or mixed Windows/Linux environments. Successful exploitation can lead to unauthorized remote access, data exfiltration, and the establishment of persistent backdoors. The SEO fraud component could damage organizational reputation and lead to financial losses through fraudulent advertising or redirection schemes. The presence of region-specific variants and hardcoded targeting suggests that European entities with business ties or infrastructure linked to Southeast Asia could be indirectly affected. Additionally, the campaign’s ability to evade detection and maintain persistence increases the risk of prolonged compromise, potentially impacting confidentiality, integrity, and availability of critical web services. The cross-platform nature of the malware also means that organizations with heterogeneous environments are at elevated risk. Disruption of web services could affect customer trust and regulatory compliance, particularly under GDPR requirements for data protection and breach notification.
Mitigation Recommendations
European organizations should implement targeted defenses beyond generic advice. First, conduct thorough vulnerability assessments and patch all IIS servers promptly, focusing on known vulnerabilities exploited by web shells and remote code execution. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and unusual persistence mechanisms such as scheduled tasks or service modifications. Monitor network traffic for anomalous connections to suspicious C2 infrastructure, including the use of tools like GotoHTTP. Implement strict web server hardening, including disabling unnecessary modules and restricting file upload capabilities to prevent web shell deployment. Employ file integrity monitoring to detect unauthorized changes, especially for files with unusual extensions or HTML templates used in SEO fraud. Use threat intelligence feeds to identify indicators of compromise related to UAT-8099 and WEBJACK campaigns. Segregate critical web infrastructure and apply least privilege principles to limit lateral movement. Finally, conduct user awareness training focused on phishing and social engineering tactics that may facilitate initial access.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus"]
- Adversary
- UAT-8099
- Pulse Id
- 697b57759a314f33d84f3b73
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash11dfb32e4496db16ea7c06994e0fbe62 | — | |
hash64d27ccd15c24e711854f9211412fa06 | — | |
hash7546b74707742d2c0fea2cc7fb6afc70 | — | |
hash81943db193b85e58efca17f9c08a3bf6 | — | |
hash8eb1cce177695f51bbd6ece5485e520d | — | |
hash8fcdc406e1c9424347fcaa110a824bc0 | — | |
hash9df68541a76494967fa45664fd097d55 | — | |
hashcd3d556aaff404d37024ff9bbef78734 | — | |
hashe656f8c61ffc614f0bcdf1249147fe63 | — | |
hashe84553b63969eb8e31ad019eae4d9955 | — | |
hashec661bc77283bb3d96b37775499c03da | — | |
hashf4ea4e9b8017b5edd392b7416bd390af | — | |
hashff0eb16768e7ecde4c7407f68a1f9b95 | — | |
hash01e94987f78f7d5abfdcac9d5dbbe1d6b5573226 | — | |
hash0ee438ff255787e841581e5c23d340dfee8265b9 | — | |
hash1a6654e3bc69b89e50d6ee3eab85b3c819d3a793 | — | |
hash1e11085eeb4e617c5215bfde8b928d23d321da7d | — | |
hash1e420360f99d96920c443129c6801aa661f6073d | — | |
hash3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876 | — | |
hash500db7699d66db1c92f3a4ea722596884382c7a7 | — | |
hashb059c4725f1b62cc8534bdab4092fd840e833907 | — | |
hashc10e52d383695b79137a4523ac4cf6a6acb1666e | — | |
hashc9128242176083fb07147d8e39c8c3c053479d15 | — | |
hashdb5f5c4358c295aa32f5a7d62869b21f9fe45e43 | — | |
hashde325a01346d30fae09dddb5cd753c3f35ce69fa | — | |
hashe07db0d74a2e2942c6523444193f204d95aaf4f6 | — | |
hashec7d20926cc102b6685c07f894a6b0835e8e2cdd | — | |
hashfdff3d79a06cc022135a5a264978ef69e7cc29ad | — | |
hash11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7 | — | |
hash187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1 | — | |
hash1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a | — | |
hash1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a | — | |
hash21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102 | — | |
hash230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9 | — | |
hash265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357 | — | |
hash29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b | — | |
hash2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3 | — | |
hash33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f | — | |
hash383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c | — | |
hash3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d | — | |
hash416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be | — | |
hash48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865 | — | |
hash4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96 | — | |
hash5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d | — | |
hash565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6 | — | |
hash56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76 | — | |
hash5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e | — | |
hash6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72 | — | |
hash660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68 | — | |
hash672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d | — | |
hash6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3 | — | |
hash6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba | — | |
hash70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79 | — | |
hash78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09 | — | |
hash7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a | — | |
hash8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6 | — | |
hash91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1 | — | |
hash931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e | — | |
hash9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29 | — | |
hash99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830 | — | |
hash9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece | — | |
hash9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5 | — | |
hasha34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31 | — | |
hasha5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259 | — | |
hasha781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205 | — | |
hashab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d | — | |
hashbcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33 | — | |
hashc7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda | — | |
hashcdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da | — | |
hashd8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c | — | |
hashe448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c | — | |
hashe84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c | — | |
hashebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc | — | |
hashf3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttp://go1.kmm5tn.ceye.io | — | |
urlhttp://tdk.hunanduodao.com/jump/fql.js | — | |
urlhttp://tdk.hunanduodao.com/jump/ov.js | — | |
urlhttp://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/fql.js | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/ll.js | — | |
urlhttp://tz.jmfwy.com/jump/json.js | — | |
urlhttp://tz.jmfwy.com/jump/mage.js | — | |
urlhttp://tz.jmfwy.com/jump/tiger.js | — | |
urlhttp://tz.ohtcm.com/jump/fql.js | — | |
urlhttp://tz.ohtcm.com/jump/json.js | — | |
urlhttp://tz.ohtcm.com/jump/ll.js | — | |
urlhttp://tz.ohtcm.com/jump/ov.js | — | |
urlhttp://tz.suucx.com/jump/ov.js | — | |
urlhttps://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs | — | |
urlhttps://799.cors5.vip/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://bxphp.westooo.com/58z.js | — | |
urlhttps://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd | — | |
urlhttps://bxphp.westooo.com/u.php | — | |
urlhttps://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttps://th.gtwql.com/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2fgithub.com | — | |
domain404.imxzq.com | — | |
domain404.jmfwy.com | — | |
domain7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la | — | |
domain799.cors5.vip | — | |
domainbxphp.westooo.com | — | |
domainfql.jmfwy.com | — | |
domaingo1.kmm5tn.ceye.io | — | |
domaingoogle.sneaws.com | — | |
domaintdk.hunanduodao.com | — | |
domaintdk.jmfwy.com | — | |
domaintdkfsdfa.cnmseo.com | — | |
domainth.gtwql.com | — | |
domainthov.hunanduodao.com | — | |
domaintz.jmfwy.com | — | |
domaintz.ohtcm.com | — | |
domaintz.suucx.com | — | |
domainw3c.sneaws.com | — |
Threat ID: 697b8a84ac063202229c76fd
Added to database: 1/29/2026, 4:27:48 PM
Last enriched: 1/29/2026, 4:42:18 PM
Last updated: 1/29/2026, 10:21:45 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Exposed BYOB C2 Infrastructure Reveals a Multi-Stage Malware Deployment
MediumApproaching Cyclone: Vortex Werewolf Attacks Russia
MediumThreatFox IOCs for 2026-01-28
MediumCan't stop, won't stop: TA584 innovates initial access
MediumFake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.