Dissecting UAT-8099: New persistence mechanisms and regional focus
UAT-8099 is a malware campaign active from August 2025 to early 2026, targeting vulnerable IIS servers primarily in Asia, with a focus on Thailand and Vietnam. The threat actor uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain remote access. New variants of the BadIIS malware exhibit enhanced persistence, regional customization, and SEO fraud capabilities. A Linux ELF variant has also been identified, indicating cross-platform targeting. The campaign shares infrastructure and malware hashes with the WEBJACK campaign, suggesting operational overlap. While no known exploits are reported in the wild, the malware employs multiple advanced techniques to evade detection and maintain long-term access. The threat poses a medium severity risk but could impact confidentiality, integrity, and availability of affected systems. European organizations with IIS servers exposed to the internet should be vigilant, especially those with business ties to Asia or using similar infrastructure. Mitigation requires targeted detection of web shells, PowerShell abuse, and network monitoring for GotoHTTP traffic. Countries with significant IIS usage and strategic interest in Asia, such as Germany, France, and the UK, are more likely to be affected.
AI Analysis
Technical Summary
The UAT-8099 campaign represents a sophisticated threat actor targeting vulnerable Microsoft IIS web servers, primarily across Asia, focusing on Thailand and Vietnam. Active from August 2025 through early 2026, the campaign leverages multiple attack vectors including web shells, PowerShell scripts, and the GotoHTTP remote access tool to establish and maintain persistence on compromised systems. The malware family involved, BadIIS, has evolved with new variants that are regionally customized, featuring hardcoded target regions, exclusive file extensions, and the ability to load HTML templates, which facilitates SEO fraud tactics to monetize compromised servers. Notably, a Linux ELF variant of BadIIS was discovered, indicating cross-platform capabilities and expanding the attack surface beyond Windows IIS servers. The campaign exhibits significant operational overlap with the WEBJACK campaign, sharing malware hashes, command and control (C2) infrastructure, and victimology, suggesting a possible shared threat actor or collaboration. The persistence mechanisms include advanced techniques such as abusing PowerShell (T1059.007), implanting web shells (T1505.003), and leveraging system utilities for reconnaissance and lateral movement (T1082, T1057). The campaign also employs obfuscation (T1027), credential access (T1056.004), and defense evasion tactics (T1070.001). Despite the lack of publicly known exploits in the wild, the campaign's multi-faceted approach and regional targeting make it a notable threat. The absence of patch links indicates that the vulnerabilities exploited may be due to misconfigurations or unpatched IIS servers rather than zero-day flaws. The campaign's use of SEO fraud suggests a financial motivation alongside espionage or disruption objectives. Overall, UAT-8099 demonstrates a mature threat actor capable of maintaining long-term access and evading detection through customized malware and persistence techniques.
Potential Impact
For European organizations, the UAT-8099 campaign poses a moderate but tangible risk, especially for those operating IIS web servers exposed to the internet or with business relationships in Southeast Asia. Compromise could lead to unauthorized remote access, data exfiltration, and manipulation of web content for SEO fraud, damaging brand reputation and causing financial losses. The presence of a Linux variant expands the risk to mixed-OS environments common in European enterprises. Persistent access could enable further lateral movement within networks, potentially impacting confidentiality and integrity of sensitive data. The campaign's regional focus on Asia may limit direct targeting in Europe; however, supply chain connections and shared infrastructure could expose European entities indirectly. Additionally, the SEO fraud component could degrade web presence and search engine rankings, affecting marketing and revenue streams. The medium severity rating reflects the campaign's complexity and persistence but also the requirement for vulnerable IIS servers and some level of misconfiguration or lack of patching. Organizations with outdated IIS deployments or insufficient monitoring are at higher risk. The campaign's overlap with WEBJACK suggests a broader threat landscape that European defenders should monitor for emerging tactics and indicators.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to the specific tactics used by UAT-8099. First, ensure all IIS servers are fully patched and hardened, disabling unnecessary modules and enforcing strict access controls. Conduct thorough audits to identify and remove any unauthorized web shells or suspicious files, paying attention to unusual file extensions and HTML templates indicative of BadIIS variants. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting PowerShell abuse and anomalous script execution. Network monitoring should include inspection for GotoHTTP traffic patterns and connections to known C2 infrastructure associated with UAT-8099 and WEBJACK. Implement strict logging and alerting on IIS server activities, including file system changes and process creations. Use threat intelligence feeds to update detection rules with known malware hashes and indicators from the campaign. Employ web application firewalls (WAF) with custom rules to block exploitation attempts targeting IIS vulnerabilities. Regularly train security teams to recognize SEO fraud tactics and investigate sudden changes in web traffic or search rankings. Finally, segment networks to limit lateral movement and enforce the principle of least privilege to reduce the impact of potential compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- hash: 11dfb32e4496db16ea7c06994e0fbe62
- hash: 64d27ccd15c24e711854f9211412fa06
- hash: 7546b74707742d2c0fea2cc7fb6afc70
- hash: 81943db193b85e58efca17f9c08a3bf6
- hash: 8eb1cce177695f51bbd6ece5485e520d
- hash: 8fcdc406e1c9424347fcaa110a824bc0
- hash: 9df68541a76494967fa45664fd097d55
- hash: cd3d556aaff404d37024ff9bbef78734
- hash: e656f8c61ffc614f0bcdf1249147fe63
- hash: e84553b63969eb8e31ad019eae4d9955
- hash: ec661bc77283bb3d96b37775499c03da
- hash: f4ea4e9b8017b5edd392b7416bd390af
- hash: ff0eb16768e7ecde4c7407f68a1f9b95
- hash: 01e94987f78f7d5abfdcac9d5dbbe1d6b5573226
- hash: 0ee438ff255787e841581e5c23d340dfee8265b9
- hash: 1a6654e3bc69b89e50d6ee3eab85b3c819d3a793
- hash: 1e11085eeb4e617c5215bfde8b928d23d321da7d
- hash: 1e420360f99d96920c443129c6801aa661f6073d
- hash: 3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876
- hash: 500db7699d66db1c92f3a4ea722596884382c7a7
- hash: b059c4725f1b62cc8534bdab4092fd840e833907
- hash: c10e52d383695b79137a4523ac4cf6a6acb1666e
- hash: c9128242176083fb07147d8e39c8c3c053479d15
- hash: db5f5c4358c295aa32f5a7d62869b21f9fe45e43
- hash: de325a01346d30fae09dddb5cd753c3f35ce69fa
- hash: e07db0d74a2e2942c6523444193f204d95aaf4f6
- hash: ec7d20926cc102b6685c07f894a6b0835e8e2cdd
- hash: fdff3d79a06cc022135a5a264978ef69e7cc29ad
- hash: 11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7
- hash: 187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1
- hash: 1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a
- hash: 1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a
- hash: 21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102
- hash: 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9
- hash: 265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357
- hash: 29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b
- hash: 2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3
- hash: 33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f
- hash: 383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c
- hash: 3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d
- hash: 416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be
- hash: 48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
- hash: 4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96
- hash: 5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d
- hash: 565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6
- hash: 56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76
- hash: 5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e
- hash: 6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72
- hash: 660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68
- hash: 672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d
- hash: 6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
- hash: 6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba
- hash: 70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79
- hash: 78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09
- hash: 7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a
- hash: 8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6
- hash: 91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1
- hash: 931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e
- hash: 9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29
- hash: 99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830
- hash: 9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
- hash: 9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5
- hash: a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31
- hash: a5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259
- hash: a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205
- hash: ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d
- hash: bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33
- hash: c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda
- hash: cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da
- hash: d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
- hash: e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c
- hash: e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c
- hash: ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc
- hash: f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
- url: http://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: http://go1.kmm5tn.ceye.io
- url: http://tdk.hunanduodao.com/jump/fql.js
- url: http://tdk.hunanduodao.com/jump/ov.js
- url: http://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s
- url: http://tdkfsdfa.cnmseo.com/jump/fql.js
- url: http://tdkfsdfa.cnmseo.com/jump/ll.js
- url: http://tz.jmfwy.com/jump/json.js
- url: http://tz.jmfwy.com/jump/mage.js
- url: http://tz.jmfwy.com/jump/tiger.js
- url: http://tz.ohtcm.com/jump/fql.js
- url: http://tz.ohtcm.com/jump/json.js
- url: http://tz.ohtcm.com/jump/ll.js
- url: http://tz.ohtcm.com/jump/ov.js
- url: http://tz.suucx.com/jump/ov.js
- url: https://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: https://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs
- url: https://799.cors5.vip/1018.php?domain=%s\u0026path=%s
- url: https://bxphp.westooo.com/58z.js
- url: https://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd
- url: https://bxphp.westooo.com/u.php
- url: https://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s
- url: https://th.gtwql.com/1018.php?domain=%s\u0026path=%s
- url: https://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s
- domain: 2fgithub.com
- domain: 404.imxzq.com
- domain: 404.jmfwy.com
- domain: 7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la
- domain: 799.cors5.vip
- domain: bxphp.westooo.com
- domain: fql.jmfwy.com
- domain: go1.kmm5tn.ceye.io
- domain: google.sneaws.com
- domain: tdk.hunanduodao.com
- domain: tdk.jmfwy.com
- domain: tdkfsdfa.cnmseo.com
- domain: th.gtwql.com
- domain: thov.hunanduodao.com
- domain: tz.jmfwy.com
- domain: tz.ohtcm.com
- domain: tz.suucx.com
- domain: w3c.sneaws.com
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description
UAT-8099 is a malware campaign active from August 2025 to early 2026, targeting vulnerable IIS servers primarily in Asia, with a focus on Thailand and Vietnam. The threat actor uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain remote access. New variants of the BadIIS malware exhibit enhanced persistence, regional customization, and SEO fraud capabilities. A Linux ELF variant has also been identified, indicating cross-platform targeting. The campaign shares infrastructure and malware hashes with the WEBJACK campaign, suggesting operational overlap. While no known exploits are reported in the wild, the malware employs multiple advanced techniques to evade detection and maintain long-term access. The threat poses a medium severity risk but could impact confidentiality, integrity, and availability of affected systems. European organizations with IIS servers exposed to the internet should be vigilant, especially those with business ties to Asia or using similar infrastructure. Mitigation requires targeted detection of web shells, PowerShell abuse, and network monitoring for GotoHTTP traffic. Countries with significant IIS usage and strategic interest in Asia, such as Germany, France, and the UK, are more likely to be affected.
AI-Powered Analysis
Technical Analysis
The UAT-8099 campaign represents a sophisticated threat actor targeting vulnerable Microsoft IIS web servers, primarily across Asia, focusing on Thailand and Vietnam. Active from August 2025 through early 2026, the campaign leverages multiple attack vectors including web shells, PowerShell scripts, and the GotoHTTP remote access tool to establish and maintain persistence on compromised systems. The malware family involved, BadIIS, has evolved with new variants that are regionally customized, featuring hardcoded target regions, exclusive file extensions, and the ability to load HTML templates, which facilitates SEO fraud tactics to monetize compromised servers. Notably, a Linux ELF variant of BadIIS was discovered, indicating cross-platform capabilities and expanding the attack surface beyond Windows IIS servers. The campaign exhibits significant operational overlap with the WEBJACK campaign, sharing malware hashes, command and control (C2) infrastructure, and victimology, suggesting a possible shared threat actor or collaboration. The persistence mechanisms include advanced techniques such as abusing PowerShell (T1059.007), implanting web shells (T1505.003), and leveraging system utilities for reconnaissance and lateral movement (T1082, T1057). The campaign also employs obfuscation (T1027), credential access (T1056.004), and defense evasion tactics (T1070.001). Despite the lack of publicly known exploits in the wild, the campaign's multi-faceted approach and regional targeting make it a notable threat. The absence of patch links indicates that the vulnerabilities exploited may be due to misconfigurations or unpatched IIS servers rather than zero-day flaws. The campaign's use of SEO fraud suggests a financial motivation alongside espionage or disruption objectives. Overall, UAT-8099 demonstrates a mature threat actor capable of maintaining long-term access and evading detection through customized malware and persistence techniques.
Potential Impact
For European organizations, the UAT-8099 campaign poses a moderate but tangible risk, especially for those operating IIS web servers exposed to the internet or with business relationships in Southeast Asia. Compromise could lead to unauthorized remote access, data exfiltration, and manipulation of web content for SEO fraud, damaging brand reputation and causing financial losses. The presence of a Linux variant expands the risk to mixed-OS environments common in European enterprises. Persistent access could enable further lateral movement within networks, potentially impacting confidentiality and integrity of sensitive data. The campaign's regional focus on Asia may limit direct targeting in Europe; however, supply chain connections and shared infrastructure could expose European entities indirectly. Additionally, the SEO fraud component could degrade web presence and search engine rankings, affecting marketing and revenue streams. The medium severity rating reflects the campaign's complexity and persistence but also the requirement for vulnerable IIS servers and some level of misconfiguration or lack of patching. Organizations with outdated IIS deployments or insufficient monitoring are at higher risk. The campaign's overlap with WEBJACK suggests a broader threat landscape that European defenders should monitor for emerging tactics and indicators.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to the specific tactics used by UAT-8099. First, ensure all IIS servers are fully patched and hardened, disabling unnecessary modules and enforcing strict access controls. Conduct thorough audits to identify and remove any unauthorized web shells or suspicious files, paying attention to unusual file extensions and HTML templates indicative of BadIIS variants. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting PowerShell abuse and anomalous script execution. Network monitoring should include inspection for GotoHTTP traffic patterns and connections to known C2 infrastructure associated with UAT-8099 and WEBJACK. Implement strict logging and alerting on IIS server activities, including file system changes and process creations. Use threat intelligence feeds to update detection rules with known malware hashes and indicators from the campaign. Employ web application firewalls (WAF) with custom rules to block exploitation attempts targeting IIS vulnerabilities. Regularly train security teams to recognize SEO fraud tactics and investigate sudden changes in web traffic or search rankings. Finally, segment networks to limit lateral movement and enforce the principle of least privilege to reduce the impact of potential compromises.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus"]
- Adversary
- UAT-8099
- Pulse Id
- 697b57759a314f33d84f3b73
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash11dfb32e4496db16ea7c06994e0fbe62 | — | |
hash64d27ccd15c24e711854f9211412fa06 | — | |
hash7546b74707742d2c0fea2cc7fb6afc70 | — | |
hash81943db193b85e58efca17f9c08a3bf6 | — | |
hash8eb1cce177695f51bbd6ece5485e520d | — | |
hash8fcdc406e1c9424347fcaa110a824bc0 | — | |
hash9df68541a76494967fa45664fd097d55 | — | |
hashcd3d556aaff404d37024ff9bbef78734 | — | |
hashe656f8c61ffc614f0bcdf1249147fe63 | — | |
hashe84553b63969eb8e31ad019eae4d9955 | — | |
hashec661bc77283bb3d96b37775499c03da | — | |
hashf4ea4e9b8017b5edd392b7416bd390af | — | |
hashff0eb16768e7ecde4c7407f68a1f9b95 | — | |
hash01e94987f78f7d5abfdcac9d5dbbe1d6b5573226 | — | |
hash0ee438ff255787e841581e5c23d340dfee8265b9 | — | |
hash1a6654e3bc69b89e50d6ee3eab85b3c819d3a793 | — | |
hash1e11085eeb4e617c5215bfde8b928d23d321da7d | — | |
hash1e420360f99d96920c443129c6801aa661f6073d | — | |
hash3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876 | — | |
hash500db7699d66db1c92f3a4ea722596884382c7a7 | — | |
hashb059c4725f1b62cc8534bdab4092fd840e833907 | — | |
hashc10e52d383695b79137a4523ac4cf6a6acb1666e | — | |
hashc9128242176083fb07147d8e39c8c3c053479d15 | — | |
hashdb5f5c4358c295aa32f5a7d62869b21f9fe45e43 | — | |
hashde325a01346d30fae09dddb5cd753c3f35ce69fa | — | |
hashe07db0d74a2e2942c6523444193f204d95aaf4f6 | — | |
hashec7d20926cc102b6685c07f894a6b0835e8e2cdd | — | |
hashfdff3d79a06cc022135a5a264978ef69e7cc29ad | — | |
hash11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7 | — | |
hash187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1 | — | |
hash1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a | — | |
hash1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a | — | |
hash21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102 | — | |
hash230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9 | — | |
hash265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357 | — | |
hash29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b | — | |
hash2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3 | — | |
hash33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f | — | |
hash383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c | — | |
hash3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d | — | |
hash416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be | — | |
hash48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865 | — | |
hash4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96 | — | |
hash5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d | — | |
hash565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6 | — | |
hash56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76 | — | |
hash5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e | — | |
hash6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72 | — | |
hash660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68 | — | |
hash672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d | — | |
hash6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3 | — | |
hash6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba | — | |
hash70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79 | — | |
hash78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09 | — | |
hash7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a | — | |
hash8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6 | — | |
hash91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1 | — | |
hash931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e | — | |
hash9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29 | — | |
hash99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830 | — | |
hash9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece | — | |
hash9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5 | — | |
hasha34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31 | — | |
hasha5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259 | — | |
hasha781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205 | — | |
hashab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d | — | |
hashbcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33 | — | |
hashc7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda | — | |
hashcdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da | — | |
hashd8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c | — | |
hashe448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c | — | |
hashe84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c | — | |
hashebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc | — | |
hashf3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttp://go1.kmm5tn.ceye.io | — | |
urlhttp://tdk.hunanduodao.com/jump/fql.js | — | |
urlhttp://tdk.hunanduodao.com/jump/ov.js | — | |
urlhttp://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/fql.js | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/ll.js | — | |
urlhttp://tz.jmfwy.com/jump/json.js | — | |
urlhttp://tz.jmfwy.com/jump/mage.js | — | |
urlhttp://tz.jmfwy.com/jump/tiger.js | — | |
urlhttp://tz.ohtcm.com/jump/fql.js | — | |
urlhttp://tz.ohtcm.com/jump/json.js | — | |
urlhttp://tz.ohtcm.com/jump/ll.js | — | |
urlhttp://tz.ohtcm.com/jump/ov.js | — | |
urlhttp://tz.suucx.com/jump/ov.js | — | |
urlhttps://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs | — | |
urlhttps://799.cors5.vip/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://bxphp.westooo.com/58z.js | — | |
urlhttps://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd | — | |
urlhttps://bxphp.westooo.com/u.php | — | |
urlhttps://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttps://th.gtwql.com/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2fgithub.com | — | |
domain404.imxzq.com | — | |
domain404.jmfwy.com | — | |
domain7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la | — | |
domain799.cors5.vip | — | |
domainbxphp.westooo.com | — | |
domainfql.jmfwy.com | — | |
domaingo1.kmm5tn.ceye.io | — | |
domaingoogle.sneaws.com | — | |
domaintdk.hunanduodao.com | — | |
domaintdk.jmfwy.com | — | |
domaintdkfsdfa.cnmseo.com | — | |
domainth.gtwql.com | — | |
domainthov.hunanduodao.com | — | |
domaintz.jmfwy.com | — | |
domaintz.ohtcm.com | — | |
domaintz.suucx.com | — | |
domainw3c.sneaws.com | — |
Threat ID: 697b8a84ac063202229c76fd
Added to database: 1/29/2026, 4:27:48 PM
Last enriched: 2/6/2026, 8:00:24 AM
Last updated: 2/7/2026, 8:46:14 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
MediumThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.