Dissecting UAT-8099: New persistence mechanisms and regional focus
UAT-8099 is a malware campaign active from August 2025 to early 2026 targeting vulnerable IIS servers, primarily in Asia, with a focus on Thailand and Vietnam. It uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain persistent remote access. New BadIIS malware variants show enhanced persistence, regional customization, and SEO fraud capabilities, with a Linux ELF variant indicating cross-platform targeting. The campaign shares infrastructure with the WEBJACK campaign, suggesting operational overlap. Although no known exploits are reported in the wild, advanced evasion and persistence techniques pose risks to confidentiality, integrity, and availability. European organizations with exposed IIS servers, especially those with business ties to Asia, should be vigilant. Targeted detection of web shells, PowerShell abuse, and monitoring for GotoHTTP traffic are critical mitigations. Germany, France, and the UK are most likely affected due to IIS usage and strategic interests in Asia.
AI Analysis
Technical Summary
The UAT-8099 malware campaign, active from August 2025 through early 2026, targets vulnerable Microsoft IIS web servers, focusing primarily on Asian countries such as Thailand and Vietnam. The threat actor employs multiple sophisticated persistence mechanisms, including web shells and PowerShell scripts, to maintain long-term remote access. Additionally, the campaign utilizes the GotoHTTP tool, which facilitates covert command and control communications. New variants of the BadIIS malware family have been identified, exhibiting enhanced persistence capabilities, regional customization tailored to target geographies, and SEO fraud functionalities that manipulate search engine rankings for malicious benefit. Notably, a Linux ELF variant has been discovered, indicating the campaign’s expansion beyond Windows IIS servers to cross-platform environments. The campaign shares infrastructure and malware hashes with the WEBJACK campaign, implying operational overlap or shared threat actor resources. Despite the absence of publicly known exploits in the wild, the malware employs advanced evasion techniques such as obfuscated PowerShell commands, fileless persistence, and stealthy network communications to avoid detection by traditional security controls. The campaign’s tactics align with MITRE ATT&CK techniques including T1059.007 (PowerShell), T1547 (Boot or Logon Autostart Execution), and T1505.003 (Server Software Component), among others. The threat poses a medium severity risk, with potential impacts on confidentiality through data exfiltration, integrity via unauthorized modifications, and availability through potential service disruptions. European organizations operating IIS servers exposed to the internet, especially those with business or infrastructure ties to Asia, should be alert to this threat. Detection strategies should focus on identifying web shell signatures, monitoring anomalous PowerShell activity, and network traffic analysis for GotoHTTP communications. Given the campaign’s regional focus and infrastructure overlap, proactive threat hunting and incident response readiness are advised.
Potential Impact
For European organizations, the UAT-8099 campaign presents a medium-level risk primarily to IIS web servers exposed to the internet. Successful compromise could lead to unauthorized remote access, enabling data theft, website defacement, or use of infected servers for SEO fraud and further lateral movement. Confidentiality could be compromised through exfiltration of sensitive data, including intellectual property or customer information. Integrity risks include unauthorized modification of web content or server configurations, potentially damaging brand reputation or causing regulatory compliance issues. Availability impacts could arise if attackers disrupt web services or deploy ransomware or destructive payloads. Organizations with business ties to Asia or shared infrastructure may face increased targeting likelihood. The presence of a Linux ELF variant also broadens the attack surface, potentially affecting mixed environment deployments. The campaign’s advanced persistence and evasion techniques complicate detection and remediation, increasing dwell time and potential damage. Overall, the threat could disrupt business operations, cause financial losses, and erode customer trust if not properly mitigated.
Mitigation Recommendations
European organizations should implement targeted detection and mitigation strategies beyond generic advice. First, conduct comprehensive audits of IIS servers to identify and patch vulnerabilities, even though no specific exploits are reported, to reduce attack surface. Deploy advanced web shell detection tools that analyze web server directories and monitor for unusual file changes or unauthorized scripts. Implement PowerShell logging and enable constrained language mode to detect and block malicious PowerShell activity. Network monitoring should focus on identifying anomalous outbound traffic patterns consistent with GotoHTTP communications, including unusual HTTP headers or encrypted payloads. Employ endpoint detection and response (EDR) solutions capable of detecting fileless persistence and obfuscated scripts. Regularly review and restrict IIS server permissions and disable unnecessary modules or features to limit attacker footholds. Conduct threat hunting exercises focusing on indicators of compromise related to BadIIS and WEBJACK infrastructure. For Linux environments, monitor for ELF binaries with suspicious behavior and apply strict access controls. Finally, maintain updated threat intelligence feeds and collaborate with regional CERTs to stay informed on emerging variants and tactics. Incident response plans should include procedures for rapid containment and eradication of web shells and related malware.
Affected Countries
Germany, France, United Kingdom, Thailand, Vietnam
Indicators of Compromise
- hash: 11dfb32e4496db16ea7c06994e0fbe62
- hash: 64d27ccd15c24e711854f9211412fa06
- hash: 7546b74707742d2c0fea2cc7fb6afc70
- hash: 81943db193b85e58efca17f9c08a3bf6
- hash: 8eb1cce177695f51bbd6ece5485e520d
- hash: 8fcdc406e1c9424347fcaa110a824bc0
- hash: 9df68541a76494967fa45664fd097d55
- hash: cd3d556aaff404d37024ff9bbef78734
- hash: e656f8c61ffc614f0bcdf1249147fe63
- hash: e84553b63969eb8e31ad019eae4d9955
- hash: ec661bc77283bb3d96b37775499c03da
- hash: f4ea4e9b8017b5edd392b7416bd390af
- hash: ff0eb16768e7ecde4c7407f68a1f9b95
- hash: 01e94987f78f7d5abfdcac9d5dbbe1d6b5573226
- hash: 0ee438ff255787e841581e5c23d340dfee8265b9
- hash: 1a6654e3bc69b89e50d6ee3eab85b3c819d3a793
- hash: 1e11085eeb4e617c5215bfde8b928d23d321da7d
- hash: 1e420360f99d96920c443129c6801aa661f6073d
- hash: 3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876
- hash: 500db7699d66db1c92f3a4ea722596884382c7a7
- hash: b059c4725f1b62cc8534bdab4092fd840e833907
- hash: c10e52d383695b79137a4523ac4cf6a6acb1666e
- hash: c9128242176083fb07147d8e39c8c3c053479d15
- hash: db5f5c4358c295aa32f5a7d62869b21f9fe45e43
- hash: de325a01346d30fae09dddb5cd753c3f35ce69fa
- hash: e07db0d74a2e2942c6523444193f204d95aaf4f6
- hash: ec7d20926cc102b6685c07f894a6b0835e8e2cdd
- hash: fdff3d79a06cc022135a5a264978ef69e7cc29ad
- hash: 11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7
- hash: 187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1
- hash: 1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a
- hash: 1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a
- hash: 21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102
- hash: 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9
- hash: 265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357
- hash: 29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b
- hash: 2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3
- hash: 33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f
- hash: 383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c
- hash: 3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d
- hash: 416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be
- hash: 48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865
- hash: 4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96
- hash: 5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d
- hash: 565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6
- hash: 56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76
- hash: 5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e
- hash: 6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72
- hash: 660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68
- hash: 672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d
- hash: 6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3
- hash: 6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba
- hash: 70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79
- hash: 78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09
- hash: 7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a
- hash: 8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6
- hash: 91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1
- hash: 931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e
- hash: 9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29
- hash: 99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830
- hash: 9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece
- hash: 9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5
- hash: a34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31
- hash: a5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259
- hash: a781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205
- hash: ab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d
- hash: bcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33
- hash: c7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda
- hash: cdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da
- hash: d8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c
- hash: e448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c
- hash: e84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c
- hash: ebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc
- hash: f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
- url: http://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: http://go1.kmm5tn.ceye.io
- url: http://tdk.hunanduodao.com/jump/fql.js
- url: http://tdk.hunanduodao.com/jump/ov.js
- url: http://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s
- url: http://tdkfsdfa.cnmseo.com/jump/fql.js
- url: http://tdkfsdfa.cnmseo.com/jump/ll.js
- url: http://tz.jmfwy.com/jump/json.js
- url: http://tz.jmfwy.com/jump/mage.js
- url: http://tz.jmfwy.com/jump/tiger.js
- url: http://tz.ohtcm.com/jump/fql.js
- url: http://tz.ohtcm.com/jump/json.js
- url: http://tz.ohtcm.com/jump/ll.js
- url: http://tz.ohtcm.com/jump/ov.js
- url: http://tz.suucx.com/jump/ov.js
- url: https://404.imxzq.com/tdks.php?domain=%s\u0026path=%s
- url: https://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe
- url: https://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs
- url: https://799.cors5.vip/1018.php?domain=%s\u0026path=%s
- url: https://bxphp.westooo.com/58z.js
- url: https://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd
- url: https://bxphp.westooo.com/u.php
- url: https://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s
- url: https://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s
- url: https://th.gtwql.com/1018.php?domain=%s\u0026path=%s
- url: https://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s
- domain: 2fgithub.com
- domain: 404.imxzq.com
- domain: 404.jmfwy.com
- domain: 7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la
- domain: 799.cors5.vip
- domain: bxphp.westooo.com
- domain: fql.jmfwy.com
- domain: go1.kmm5tn.ceye.io
- domain: google.sneaws.com
- domain: tdk.hunanduodao.com
- domain: tdk.jmfwy.com
- domain: tdkfsdfa.cnmseo.com
- domain: th.gtwql.com
- domain: thov.hunanduodao.com
- domain: tz.jmfwy.com
- domain: tz.ohtcm.com
- domain: tz.suucx.com
- domain: w3c.sneaws.com
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description
UAT-8099 is a malware campaign active from August 2025 to early 2026 targeting vulnerable IIS servers, primarily in Asia, with a focus on Thailand and Vietnam. It uses web shells, PowerShell scripts, and the GotoHTTP tool to maintain persistent remote access. New BadIIS malware variants show enhanced persistence, regional customization, and SEO fraud capabilities, with a Linux ELF variant indicating cross-platform targeting. The campaign shares infrastructure with the WEBJACK campaign, suggesting operational overlap. Although no known exploits are reported in the wild, advanced evasion and persistence techniques pose risks to confidentiality, integrity, and availability. European organizations with exposed IIS servers, especially those with business ties to Asia, should be vigilant. Targeted detection of web shells, PowerShell abuse, and monitoring for GotoHTTP traffic are critical mitigations. Germany, France, and the UK are most likely affected due to IIS usage and strategic interests in Asia.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The UAT-8099 malware campaign, active from August 2025 through early 2026, targets vulnerable Microsoft IIS web servers, focusing primarily on Asian countries such as Thailand and Vietnam. The threat actor employs multiple sophisticated persistence mechanisms, including web shells and PowerShell scripts, to maintain long-term remote access. Additionally, the campaign utilizes the GotoHTTP tool, which facilitates covert command and control communications. New variants of the BadIIS malware family have been identified, exhibiting enhanced persistence capabilities, regional customization tailored to target geographies, and SEO fraud functionalities that manipulate search engine rankings for malicious benefit. Notably, a Linux ELF variant has been discovered, indicating the campaign’s expansion beyond Windows IIS servers to cross-platform environments. The campaign shares infrastructure and malware hashes with the WEBJACK campaign, implying operational overlap or shared threat actor resources. Despite the absence of publicly known exploits in the wild, the malware employs advanced evasion techniques such as obfuscated PowerShell commands, fileless persistence, and stealthy network communications to avoid detection by traditional security controls. The campaign’s tactics align with MITRE ATT&CK techniques including T1059.007 (PowerShell), T1547 (Boot or Logon Autostart Execution), and T1505.003 (Server Software Component), among others. The threat poses a medium severity risk, with potential impacts on confidentiality through data exfiltration, integrity via unauthorized modifications, and availability through potential service disruptions. European organizations operating IIS servers exposed to the internet, especially those with business or infrastructure ties to Asia, should be alert to this threat. Detection strategies should focus on identifying web shell signatures, monitoring anomalous PowerShell activity, and network traffic analysis for GotoHTTP communications. Given the campaign’s regional focus and infrastructure overlap, proactive threat hunting and incident response readiness are advised.
Potential Impact
For European organizations, the UAT-8099 campaign presents a medium-level risk primarily to IIS web servers exposed to the internet. Successful compromise could lead to unauthorized remote access, enabling data theft, website defacement, or use of infected servers for SEO fraud and further lateral movement. Confidentiality could be compromised through exfiltration of sensitive data, including intellectual property or customer information. Integrity risks include unauthorized modification of web content or server configurations, potentially damaging brand reputation or causing regulatory compliance issues. Availability impacts could arise if attackers disrupt web services or deploy ransomware or destructive payloads. Organizations with business ties to Asia or shared infrastructure may face increased targeting likelihood. The presence of a Linux ELF variant also broadens the attack surface, potentially affecting mixed environment deployments. The campaign’s advanced persistence and evasion techniques complicate detection and remediation, increasing dwell time and potential damage. Overall, the threat could disrupt business operations, cause financial losses, and erode customer trust if not properly mitigated.
Mitigation Recommendations
European organizations should implement targeted detection and mitigation strategies beyond generic advice. First, conduct comprehensive audits of IIS servers to identify and patch vulnerabilities, even though no specific exploits are reported, to reduce attack surface. Deploy advanced web shell detection tools that analyze web server directories and monitor for unusual file changes or unauthorized scripts. Implement PowerShell logging and enable constrained language mode to detect and block malicious PowerShell activity. Network monitoring should focus on identifying anomalous outbound traffic patterns consistent with GotoHTTP communications, including unusual HTTP headers or encrypted payloads. Employ endpoint detection and response (EDR) solutions capable of detecting fileless persistence and obfuscated scripts. Regularly review and restrict IIS server permissions and disable unnecessary modules or features to limit attacker footholds. Conduct threat hunting exercises focusing on indicators of compromise related to BadIIS and WEBJACK infrastructure. For Linux environments, monitor for ELF binaries with suspicious behavior and apply strict access controls. Finally, maintain updated threat intelligence feeds and collaborate with regional CERTs to stay informed on emerging variants and tactics. Incident response plans should include procedures for rapid containment and eradication of web shells and related malware.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus"]
- Adversary
- UAT-8099
- Pulse Id
- 697b57759a314f33d84f3b73
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash11dfb32e4496db16ea7c06994e0fbe62 | — | |
hash64d27ccd15c24e711854f9211412fa06 | — | |
hash7546b74707742d2c0fea2cc7fb6afc70 | — | |
hash81943db193b85e58efca17f9c08a3bf6 | — | |
hash8eb1cce177695f51bbd6ece5485e520d | — | |
hash8fcdc406e1c9424347fcaa110a824bc0 | — | |
hash9df68541a76494967fa45664fd097d55 | — | |
hashcd3d556aaff404d37024ff9bbef78734 | — | |
hashe656f8c61ffc614f0bcdf1249147fe63 | — | |
hashe84553b63969eb8e31ad019eae4d9955 | — | |
hashec661bc77283bb3d96b37775499c03da | — | |
hashf4ea4e9b8017b5edd392b7416bd390af | — | |
hashff0eb16768e7ecde4c7407f68a1f9b95 | — | |
hash01e94987f78f7d5abfdcac9d5dbbe1d6b5573226 | — | |
hash0ee438ff255787e841581e5c23d340dfee8265b9 | — | |
hash1a6654e3bc69b89e50d6ee3eab85b3c819d3a793 | — | |
hash1e11085eeb4e617c5215bfde8b928d23d321da7d | — | |
hash1e420360f99d96920c443129c6801aa661f6073d | — | |
hash3df7e0c5e77dcc9e242e9aedcb48d6fd0fd8c876 | — | |
hash500db7699d66db1c92f3a4ea722596884382c7a7 | — | |
hashb059c4725f1b62cc8534bdab4092fd840e833907 | — | |
hashc10e52d383695b79137a4523ac4cf6a6acb1666e | — | |
hashc9128242176083fb07147d8e39c8c3c053479d15 | — | |
hashdb5f5c4358c295aa32f5a7d62869b21f9fe45e43 | — | |
hashde325a01346d30fae09dddb5cd753c3f35ce69fa | — | |
hashe07db0d74a2e2942c6523444193f204d95aaf4f6 | — | |
hashec7d20926cc102b6685c07f894a6b0835e8e2cdd | — | |
hashfdff3d79a06cc022135a5a264978ef69e7cc29ad | — | |
hash11ea6aa2b31677f8a36627d4af709e70cff4a033b0975f63c19b28945e6226b7 | — | |
hash187e1417fd9d4f4a44e4f7b7172aef056e9d0ab5d7a7addf61c2cfa893f74fd1 | — | |
hash1ab98783a02ad9f127e776c435ef4e24a18ab93c4b4ee5ede722817d4b20771a | — | |
hash1ece4d8603f5e28a7b0f6a8c83963a57cf23e5d2fadfc138419c3a051a75c93a | — | |
hash21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102 | — | |
hash230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9 | — | |
hash265336511db98a4c40476455e2ae93aaf926abecd8f9b9d741f8d253abb80357 | — | |
hash29ffb1d28f98582e81e78e6b2d5502da50c8ebdee0d40005a86b0dadece2923b | — | |
hash2cc87bd2ae25a5119cb950618850eddeb578954fa780b125c1f51d234fb405e3 | — | |
hash33d3ccf82279d94a8e8e772a0c4963d65a1f3576dbd6ed7b4ab8a0ee4869f97f | — | |
hash383ac5ccf706a0d980c0805a892361b7be68e1b3fd9236336fdc2b239d96842c | — | |
hash3ecb54a6abbd0be974a513390f33039626c8cae39e1d51c18e298ff85311e68d | — | |
hash416ef6da8a27a99cbce6517d31857c8b8b55f02e9c8118510dc33814fb6f57be | — | |
hash48ec6530470b295db455bf2c72dc4fbd18672725f45821304f966d436b428865 | — | |
hash4bc189af91779582a1d29cfe187aa233e7ba50d223261fb9fbe31df5b06dff96 | — | |
hash5213eae389c10a1e1e59001c89a5baad76b54233989b95382178233fe15a039d | — | |
hash565502d2454e4b65d3bd810fccf4b429264562fefa5cfff24c905b76b3b860a6 | — | |
hash56be91643dd8b86f347cc8d743c568f2d0169781ba999a2f708e503b59ecff76 | — | |
hash5d320b60d2f40c200e81eaeb67a86a04782bff84582c73e726255dba2dcb821e | — | |
hash6229437844e2cf3153e3b9efa2ea17ff3954d46eb1875813c22400fdf136be72 | — | |
hash660ccb6dcfad97bfaddc667c61b1904e99a06eab981d44119092624d42912d68 | — | |
hash672ffdf1e9d4848015d29a68111266ef55fc6702dfe7b2053ce677882648dd5d | — | |
hash6b60b6df8a1a95f51ffe57255c05d26eb9e113857efac3b29d6ef080b8d414f3 | — | |
hash6be5c8882bc02cf4e86d2ab9d20aa3446b71dd12c73f9c6bf0faf9412d7d23ba | — | |
hash70d6bc89451e36889c045f30de22bc02e032788c8938baa0d5802e8f747c3e79 | — | |
hash78f68419d80dca0ce30874953545d47ddf21115dd0a51a5ae76223bd4a3abb09 | — | |
hash7eed3e20c41f6c464df945b1f353a52c450ca1653f4697d4ebcc58c2adc5868a | — | |
hash8ae8fabe7c3d9f8aef24c4eda323ab8640a56d51deb88fe58e5baf648d9e06b6 | — | |
hash91e1f4fc92f104ec8b29bb56df87f8e7d8b518c63997e2ea162d3f1cac3fcac1 | — | |
hash931b3abcd3ebc82be7d24dbe196928ec7113e0562eaf3f8d18bcf64253bb9d1e | — | |
hash9458a75c1e24add9a48e0425e514a5f0cb46a826bff30ea7ea34e69099345f29 | — | |
hash99f2c4773560eb515cfcb0ad45cf8e47c46580ab19494463160f885e048ce830 | — | |
hash9a2fd34e22c5f3d3d5fb96e3cd514dad7b03ed7bf53a87e7d8d9b73987d02ece | — | |
hash9c6cea0ccc0906cdcef9e9ff6e9086b3111e76618e9a254121d152f123a539c5 | — | |
hasha34ea8fb565ac6f57eefc987c61159c1e6f1af6a8717ffb42f4b745db3bf9e31 | — | |
hasha5899f6dfde0ea5a79be562ca8ca01e11673c1d36a037847396db0c949014259 | — | |
hasha781581baf6e1e335f22c9ffbb2656a2d9c8e51f463e3a48068210425df1c205 | — | |
hashab03a7caed279fc6411ec19386faff3b65be34c91c3f0550eaef84a663720d0d | — | |
hashbcc393c1686a0f5d493041e98dcafe0098d952d5e93eb4d2ebdb63c0efd2de33 | — | |
hashc7a22f5c55ac1373a5964a6598da2a9afd8a61b9d729b9bf52a93c967a7f0eda | — | |
hashcdf454173bac13266e0f7db5de386439f197e2c480e1cc303dd7e806484645da | — | |
hashd8c0ef6dbf7d4572f92d3a492f32061ab8f3dd46beb9ff5a0bf9bf550935458c | — | |
hashe448557d26cf2917efded8e30c67db8094ce1f6db78801742988ea21f3429d7c | — | |
hashe84a16c8e25a4e40926cbb4cc210a09830298b6f99d532035f5136d05ffc008c | — | |
hashebeef831c52b7e930a6456caedf7849814b8d4def2bc0e70a0e7a357621ef6bc | — | |
hashf3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttp://go1.kmm5tn.ceye.io | — | |
urlhttp://tdk.hunanduodao.com/jump/fql.js | — | |
urlhttp://tdk.hunanduodao.com/jump/ov.js | — | |
urlhttp://tdk.hunanduodao.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/fql.js | — | |
urlhttp://tdkfsdfa.cnmseo.com/jump/ll.js | — | |
urlhttp://tz.jmfwy.com/jump/json.js | — | |
urlhttp://tz.jmfwy.com/jump/mage.js | — | |
urlhttp://tz.jmfwy.com/jump/tiger.js | — | |
urlhttp://tz.ohtcm.com/jump/fql.js | — | |
urlhttp://tz.ohtcm.com/jump/json.js | — | |
urlhttp://tz.ohtcm.com/jump/ll.js | — | |
urlhttp://tz.ohtcm.com/jump/ov.js | — | |
urlhttp://tz.suucx.com/jump/ov.js | — | |
urlhttps://404.imxzq.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://404.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/go.exe | — | |
urlhttps://7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la/test/zcgo/zcgo1.vbs | — | |
urlhttps://799.cors5.vip/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://bxphp.westooo.com/58z.js | — | |
urlhttps://bxphp.westooo.com/?xhost=%s\u0026url=%s\u0026ua=Googlespider\u0026f=bd | — | |
urlhttps://bxphp.westooo.com/u.php | — | |
urlhttps://fql.jmfwy.com/tdks.php?domain=%s\u0026path=%s | — | |
urlhttps://tdk.jmfwy.com/tdk.php?domain=%s\u0026path=%s | — | |
urlhttps://th.gtwql.com/1018.php?domain=%s\u0026path=%s | — | |
urlhttps://thov.hunanduodao.com/tdks.php?domain=%s\u0026path=%s | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain2fgithub.com | — | |
domain404.imxzq.com | — | |
domain404.jmfwy.com | — | |
domain7070-ppxcx-a1-3gg5ufwp666ee644-1300076834.tcb.qcloud.la | — | |
domain799.cors5.vip | — | |
domainbxphp.westooo.com | — | |
domainfql.jmfwy.com | — | |
domaingo1.kmm5tn.ceye.io | — | |
domaingoogle.sneaws.com | — | |
domaintdk.hunanduodao.com | — | |
domaintdk.jmfwy.com | — | |
domaintdkfsdfa.cnmseo.com | — | |
domainth.gtwql.com | — | |
domainthov.hunanduodao.com | — | |
domaintz.jmfwy.com | — | |
domaintz.ohtcm.com | — | |
domaintz.suucx.com | — | |
domainw3c.sneaws.com | — |
Threat ID: 697b8a84ac063202229c76fd
Added to database: 1/29/2026, 4:27:48 PM
Last enriched: 2/14/2026, 6:33:54 AM
Last updated: 3/25/2026, 2:02:21 AM
Views: 129
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.