Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign
A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.
AI Analysis
Technical Summary
Operation Rewrite is a sophisticated SEO poisoning campaign conducted by a Chinese-speaking threat actor group identified as CL-UNK-1037. The attackers leverage a malicious IIS (Internet Information Services) module named BadIIS to compromise web servers and intercept web traffic. By manipulating HTTP responses and altering search engine results, they redirect users to malicious websites, potentially exposing them to further malware infections, phishing, or fraud. The campaign primarily targets servers in East and Southeast Asia, with a particular focus on Vietnam. The attackers utilize a combination of native IIS modules, ASP.NET handlers, and PHP scripts to maintain persistence and control over compromised systems. The operation shows links to previously known threat groups such as Group 9 and possibly DragonRank, indicating a continuation or evolution of prior SEO poisoning tactics. Techniques employed include web shell deployment, command execution (T1059), exploitation of web server vulnerabilities (T1190), and traffic redirection (T1189). This campaign is notable for its scale and the complexity of its manipulation of search engine results, which can undermine user trust in legitimate websites and search engines. Although no known exploits are currently reported in the wild for this specific BadIIS module, the threat actor’s ability to compromise IIS servers and manipulate web traffic represents a significant risk to organizations hosting web services on Microsoft IIS platforms.
Potential Impact
For European organizations, the direct impact of Operation Rewrite may be limited due to the campaign's current geographic focus on East and Southeast Asia, especially Vietnam. However, European entities running IIS web servers could be at risk if the campaign expands or if similar tactics are adopted by other threat actors targeting Europe. The manipulation of search engine results can lead to reputational damage, loss of user trust, and potential exposure of users to malware or phishing attacks. Compromised IIS servers can also serve as footholds for further network intrusion, data exfiltration, or lateral movement within an organization. Additionally, organizations involved in international business with Asia or hosting multilingual websites could inadvertently become targets or collateral victims. The campaign’s use of native IIS modules and web shells complicates detection and remediation, increasing the risk of prolonged compromise and operational disruption.
Mitigation Recommendations
European organizations should implement targeted measures beyond generic advice: 1) Conduct thorough audits of IIS servers to detect unauthorized modules such as BadIIS or unusual ASP.NET handlers and PHP scripts. 2) Employ advanced web server monitoring tools capable of detecting anomalous traffic interception or manipulation. 3) Harden IIS configurations by disabling unnecessary modules and enforcing strict access controls on web server components. 4) Regularly update and patch IIS and related web application frameworks to close known vulnerabilities that could be exploited for module injection or web shell deployment. 5) Implement network segmentation to limit the impact of compromised web servers and restrict outbound traffic to prevent malicious redirections. 6) Use threat intelligence feeds to monitor for indicators of compromise related to Operation Rewrite and related groups. 7) Educate web administrators on recognizing signs of SEO poisoning and unusual search result behaviors. 8) Deploy web application firewalls (WAFs) with custom rules to detect and block malicious IIS module activity and traffic redirection attempts.
Affected Countries
Vietnam, China, Singapore, Malaysia, Thailand, Indonesia
Indicators of Compromise
- url: http://404.300bt.com/zz/u.php
- hash: 0721efb9a3e364a372bbb4b7b7c42193
- hash: 1b899dac682ebb923dc000197f6a203c
- hash: 5ed7d3f4e83c9456363c0502a7b00fac
- hash: 5ee8c01ebebcef28e4e43b20635cd7f1
- hash: 6049f6d24d84b335ae8eb19d049e9e42
- hash: 6cada79fd399172f4ff55774ad1954ce
- hash: 71671fa8ac26d056939f44ed4737663e
- hash: 728605f7586642a814e900e9b2f236fb
- hash: 74863e35f68f27386eb0f65528b5855a
- hash: 8bebaea0998d61e4e0a0ec4201530942
- hash: 920a193888df5adef270d3f05e907d8b
- hash: 941cf0549f9246c655e77767cacb8666
- hash: 952961da4854a37c1888ef384c954aa1
- hash: 97a78238ffa97e140d05d18611979d55
- hash: a1212cf64c21ac1d08e739e7a28a4279
- hash: b1760f43574b88382fcdc589ca458254
- hash: c2cb729cd35c30d3ebcdc8b79abdd482
- hash: c2fdcb3f36a2c28375f655781acdcf5e
- hash: c4ea753b0a18b63a46fad031654f9160
- hash: d6b2516e12b119fec38b89e749848015
- hash: d9dfffd7dabd24728c9220fe63a42ab0
- hash: db3652d42598323481d3168409b5b9bb
- hash: e50a3e8071e49e17d4d11e98e57cddc8
- hash: e7e8240be190f80c52fd4c8f26f61f68
- hash: eb84dc41215111343b0336c92715cbe5
- hash: ebe4e97053230d841d9f5fca62caf9ac
- hash: f080c768e57727f0f60d89f74e1c6131
- hash: f413647083a0701e91b5a2fc247fd586
- hash: 0285093143f00f2e3d37f8ce3cf8a4c26c2de38b
- hash: 11ce546e53b9a126fde2cfe83bd2d989ecba5d1f
- hash: 1634be0effa407a3bad9566eb1401ba221cd0a25
- hash: 166c65fa8a74f6baf2d5ccd7380b98842bd740f1
- hash: 182e53917e6b25bc2ed4c819bdd8fb559bd7a9fb
- hash: 1905357c256088a2a906ad6ad3591c54562a0960
- hash: 1cdc83af81a2dd50c5edaf81024583a30fecb416
- hash: 290154cbd437fb58972b00676c024db953db226c
- hash: 2cf2037eba59bf894959c051e9cfbe8d7dc5945d
- hash: 3070be0077c62d7be7207f4680ba4fffa5c35e24
- hash: 3e5d55a4e8a10967478f32224da252e897fa3cf9
- hash: 3ed2b0d2289a91d1e39726b96ff268b65e275767
- hash: 449ada079dcabfb41c9078e4e4e246b975493534
- hash: 44c17b311c08f72563513946ff7db640f1af4ecb
- hash: 4f6be5fe8d87a3ed61440b40682616b74cb0071e
- hash: 6dff956e68de3f1728421a043861dd794c2fcd33
- hash: 798db0dda596904adf3a34d1e6c322b441f324cc
- hash: 84281ad4e1c2f6523704800b10fee46ce18aeb09
- hash: 89f63ed2abc9507c0f4362adfc7c2272119ad99d
- hash: b941f250479023698a3e6987fab710101d077239
- hash: bdde78f432db8f2d4eecdcb9039ea32c9e5380f0
- hash: c139b3ee899b235877fcea5f4579f222ef730141
- hash: c4ed03a02b3f61a71cd9b2f8cc0e84433d776342
- hash: d89eebb3640185691773c06cd925076d7e726b10
- hash: df145c5ec3447bb14b14aaf5aa5d872d12390c9a
- hash: e336988626311997cea16d3b54c4ccbdf106ebfb
- hash: ef074157dd833654e16abfb1a6967265aeb440e1
- hash: f629f1ea613e9cda2949b962e979d0197b3c2665
- hash: 01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60
- hash: 1c870ee30042b1f6387cda8527c2a9cf6791195e63c5126d786f807239bd0ddc
- hash: 22a4f8aead6aef38b0dc26461813499c19c6d9165d375f85fb872cd7d9eba5f9
- hash: 22a9e1675bd8b8d64516bd4be1f07754c8f4ad6c59a965d0e009cbeaca6147a7
- hash: 23aa7c29d1370d31f2631abd7df4c260b85227a433ab3c7d77e8f2d87589948f
- hash: 271c1ddfdfb6ba82c133d1e0aac3981b2c399f16578fcf706f5e332703864656
- hash: 2af61e5acc4ca390d3bd43bc649ab30951ed7b4e36d58a05f5003d92fde5e9a7
- hash: 36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b
- hash: 40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2
- hash: 5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138
- hash: 6cff06789bf27407aa420e73123d4892a8f15cae9885ff88749fd21aa6d0e8ad
- hash: 6d044b27cd3418bf949b3db131286c8f877a56d08c3bbb0924baf862a6d13b27
- hash: 6d79b32927bac8020d25aa326ddf44e7d78600714beacd473238cc0d9b5d1ccf
- hash: 78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d
- hash: 8078fa156f5ab8be073ad3f616a2302f719713aac0f62599916c5084dd326060
- hash: 82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7
- hash: 88de33754e96cfa883d737aea7231666c4e6d058e591ef3b566f5c13a88c0b56
- hash: a393b62df62f10c5c16dd98248ee14ca92982e7ac54cb3e1c83124c3623c8c43
- hash: a73c7f833a83025936c52a8f217c9793072d91346bb321552f3214efdeef59eb
- hash: ab0b548931e3e07d466ae8598ca9cd8b10409ab23d471a7124e2e67706a314e8
- hash: b056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8
- hash: b95a1619d1ca37d652599b0b0a6188174c71147e9dc7fb4253959bd64c4c1e9f
- hash: bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c
- hash: c5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f
- hash: c6622e2900b8112e8157f923e9fcbd48889717adfe1104e07eb253f2e90d2c6a
- hash: d6a0763f6ef19def8a248c875fd4a5ea914737e3914641ef343fe1e51b04f858
- hash: d8a7320e2056daf3ef4d479ff1bb5ce4facda67dfc705e8729aeca78d6f9ca84
- hash: de570369194da3808ab3c3de8fb7ba2aac1cc67680ebdc75348b309e9a290d37
- hash: e2e00fd57d177e4c90c1e6a973cae488782f73378224f54cf1284d69a88b6805
- hash: ed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea
- ip: 103.6.235.26
- ip: 103.6.235.78
- ip: 160.30.173.87
- url: http://404.008php.com/
- url: http://404.008php.com/zz/u.php
- url: http://404.300bt.com/index.php
- url: http://404.hao563.com/index.php
- url: http://404.hao563.com/zz/u.php
- url: http://404.hzyzn.com/index.php
- url: http://404.hzyzn.com/zz/u.php
- url: http://404.pyhycy.com/index.php
- url: http://404.pyhycy.com/zz/u.php
- url: http://404.yyphw.com/index.php
- url: http://404.yyphw.com/zz/u.php
- url: http://cs.pyhycy.com/index.php
- url: http://cs.pyhycy.com/zz/u.php
- url: http://vn404.008php.com/index.php
- url: http://vn404.008php.com/zz/u.php
- url: http://www.massnetworks.org
- url: http://x404.008php.com/index.php
- url: http://x404.008php.com/zz/u.php
- url: https://fb88s.icu/uu/tt.js
- url: https://sl.008php.com/kt.html
- domain: 008php.com
- domain: fb88s.icu
- domain: 404.008php.com
- domain: 404.300bt.com
- domain: 404.hao563.com
- domain: 404.hzyzn.com
- domain: 404.pyhycy.com
- domain: 404.yyphw.com
- domain: cs.pyhycy.com
- domain: fcp.yyphw.com
- domain: qp.008php.com
- domain: sc.300bt.com
- domain: sl.008php.com
- domain: vn404.008php.com
- domain: www.massnetworks.org
- domain: www.victim.com
- domain: x404.008php.com
Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign
Description
A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.
AI-Powered Analysis
Technical Analysis
Operation Rewrite is a sophisticated SEO poisoning campaign conducted by a Chinese-speaking threat actor group identified as CL-UNK-1037. The attackers leverage a malicious IIS (Internet Information Services) module named BadIIS to compromise web servers and intercept web traffic. By manipulating HTTP responses and altering search engine results, they redirect users to malicious websites, potentially exposing them to further malware infections, phishing, or fraud. The campaign primarily targets servers in East and Southeast Asia, with a particular focus on Vietnam. The attackers utilize a combination of native IIS modules, ASP.NET handlers, and PHP scripts to maintain persistence and control over compromised systems. The operation shows links to previously known threat groups such as Group 9 and possibly DragonRank, indicating a continuation or evolution of prior SEO poisoning tactics. Techniques employed include web shell deployment, command execution (T1059), exploitation of web server vulnerabilities (T1190), and traffic redirection (T1189). This campaign is notable for its scale and the complexity of its manipulation of search engine results, which can undermine user trust in legitimate websites and search engines. Although no known exploits are currently reported in the wild for this specific BadIIS module, the threat actor’s ability to compromise IIS servers and manipulate web traffic represents a significant risk to organizations hosting web services on Microsoft IIS platforms.
Potential Impact
For European organizations, the direct impact of Operation Rewrite may be limited due to the campaign's current geographic focus on East and Southeast Asia, especially Vietnam. However, European entities running IIS web servers could be at risk if the campaign expands or if similar tactics are adopted by other threat actors targeting Europe. The manipulation of search engine results can lead to reputational damage, loss of user trust, and potential exposure of users to malware or phishing attacks. Compromised IIS servers can also serve as footholds for further network intrusion, data exfiltration, or lateral movement within an organization. Additionally, organizations involved in international business with Asia or hosting multilingual websites could inadvertently become targets or collateral victims. The campaign’s use of native IIS modules and web shells complicates detection and remediation, increasing the risk of prolonged compromise and operational disruption.
Mitigation Recommendations
European organizations should implement targeted measures beyond generic advice: 1) Conduct thorough audits of IIS servers to detect unauthorized modules such as BadIIS or unusual ASP.NET handlers and PHP scripts. 2) Employ advanced web server monitoring tools capable of detecting anomalous traffic interception or manipulation. 3) Harden IIS configurations by disabling unnecessary modules and enforcing strict access controls on web server components. 4) Regularly update and patch IIS and related web application frameworks to close known vulnerabilities that could be exploited for module injection or web shell deployment. 5) Implement network segmentation to limit the impact of compromised web servers and restrict outbound traffic to prevent malicious redirections. 6) Use threat intelligence feeds to monitor for indicators of compromise related to Operation Rewrite and related groups. 7) Educate web administrators on recognizing signs of SEO poisoning and unusual search result behaviors. 8) Deploy web application firewalls (WAFs) with custom rules to detect and block malicious IIS module activity and traffic redirection attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign"]
- Adversary
- CL-UNK-1037
- Pulse Id
- 68d50979e4d5d3cea426e8e4
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://404.300bt.com/zz/u.php | — | |
urlhttp://404.008php.com/ | — | |
urlhttp://404.008php.com/zz/u.php | — | |
urlhttp://404.300bt.com/index.php | — | |
urlhttp://404.hao563.com/index.php | — | |
urlhttp://404.hao563.com/zz/u.php | — | |
urlhttp://404.hzyzn.com/index.php | — | |
urlhttp://404.hzyzn.com/zz/u.php | — | |
urlhttp://404.pyhycy.com/index.php | — | |
urlhttp://404.pyhycy.com/zz/u.php | — | |
urlhttp://404.yyphw.com/index.php | — | |
urlhttp://404.yyphw.com/zz/u.php | — | |
urlhttp://cs.pyhycy.com/index.php | — | |
urlhttp://cs.pyhycy.com/zz/u.php | — | |
urlhttp://vn404.008php.com/index.php | — | |
urlhttp://vn404.008php.com/zz/u.php | — | |
urlhttp://www.massnetworks.org | — | |
urlhttp://x404.008php.com/index.php | — | |
urlhttp://x404.008php.com/zz/u.php | — | |
urlhttps://fb88s.icu/uu/tt.js | — | |
urlhttps://sl.008php.com/kt.html | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0721efb9a3e364a372bbb4b7b7c42193 | — | |
hash1b899dac682ebb923dc000197f6a203c | — | |
hash5ed7d3f4e83c9456363c0502a7b00fac | — | |
hash5ee8c01ebebcef28e4e43b20635cd7f1 | — | |
hash6049f6d24d84b335ae8eb19d049e9e42 | — | |
hash6cada79fd399172f4ff55774ad1954ce | — | |
hash71671fa8ac26d056939f44ed4737663e | — | |
hash728605f7586642a814e900e9b2f236fb | — | |
hash74863e35f68f27386eb0f65528b5855a | — | |
hash8bebaea0998d61e4e0a0ec4201530942 | — | |
hash920a193888df5adef270d3f05e907d8b | — | |
hash941cf0549f9246c655e77767cacb8666 | — | |
hash952961da4854a37c1888ef384c954aa1 | — | |
hash97a78238ffa97e140d05d18611979d55 | — | |
hasha1212cf64c21ac1d08e739e7a28a4279 | — | |
hashb1760f43574b88382fcdc589ca458254 | — | |
hashc2cb729cd35c30d3ebcdc8b79abdd482 | — | |
hashc2fdcb3f36a2c28375f655781acdcf5e | — | |
hashc4ea753b0a18b63a46fad031654f9160 | — | |
hashd6b2516e12b119fec38b89e749848015 | — | |
hashd9dfffd7dabd24728c9220fe63a42ab0 | — | |
hashdb3652d42598323481d3168409b5b9bb | — | |
hashe50a3e8071e49e17d4d11e98e57cddc8 | — | |
hashe7e8240be190f80c52fd4c8f26f61f68 | — | |
hasheb84dc41215111343b0336c92715cbe5 | — | |
hashebe4e97053230d841d9f5fca62caf9ac | — | |
hashf080c768e57727f0f60d89f74e1c6131 | — | |
hashf413647083a0701e91b5a2fc247fd586 | — | |
hash0285093143f00f2e3d37f8ce3cf8a4c26c2de38b | — | |
hash11ce546e53b9a126fde2cfe83bd2d989ecba5d1f | — | |
hash1634be0effa407a3bad9566eb1401ba221cd0a25 | — | |
hash166c65fa8a74f6baf2d5ccd7380b98842bd740f1 | — | |
hash182e53917e6b25bc2ed4c819bdd8fb559bd7a9fb | — | |
hash1905357c256088a2a906ad6ad3591c54562a0960 | — | |
hash1cdc83af81a2dd50c5edaf81024583a30fecb416 | — | |
hash290154cbd437fb58972b00676c024db953db226c | — | |
hash2cf2037eba59bf894959c051e9cfbe8d7dc5945d | — | |
hash3070be0077c62d7be7207f4680ba4fffa5c35e24 | — | |
hash3e5d55a4e8a10967478f32224da252e897fa3cf9 | — | |
hash3ed2b0d2289a91d1e39726b96ff268b65e275767 | — | |
hash449ada079dcabfb41c9078e4e4e246b975493534 | — | |
hash44c17b311c08f72563513946ff7db640f1af4ecb | — | |
hash4f6be5fe8d87a3ed61440b40682616b74cb0071e | — | |
hash6dff956e68de3f1728421a043861dd794c2fcd33 | — | |
hash798db0dda596904adf3a34d1e6c322b441f324cc | — | |
hash84281ad4e1c2f6523704800b10fee46ce18aeb09 | — | |
hash89f63ed2abc9507c0f4362adfc7c2272119ad99d | — | |
hashb941f250479023698a3e6987fab710101d077239 | — | |
hashbdde78f432db8f2d4eecdcb9039ea32c9e5380f0 | — | |
hashc139b3ee899b235877fcea5f4579f222ef730141 | — | |
hashc4ed03a02b3f61a71cd9b2f8cc0e84433d776342 | — | |
hashd89eebb3640185691773c06cd925076d7e726b10 | — | |
hashdf145c5ec3447bb14b14aaf5aa5d872d12390c9a | — | |
hashe336988626311997cea16d3b54c4ccbdf106ebfb | — | |
hashef074157dd833654e16abfb1a6967265aeb440e1 | — | |
hashf629f1ea613e9cda2949b962e979d0197b3c2665 | — | |
hash01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60 | — | |
hash1c870ee30042b1f6387cda8527c2a9cf6791195e63c5126d786f807239bd0ddc | — | |
hash22a4f8aead6aef38b0dc26461813499c19c6d9165d375f85fb872cd7d9eba5f9 | — | |
hash22a9e1675bd8b8d64516bd4be1f07754c8f4ad6c59a965d0e009cbeaca6147a7 | — | |
hash23aa7c29d1370d31f2631abd7df4c260b85227a433ab3c7d77e8f2d87589948f | — | |
hash271c1ddfdfb6ba82c133d1e0aac3981b2c399f16578fcf706f5e332703864656 | — | |
hash2af61e5acc4ca390d3bd43bc649ab30951ed7b4e36d58a05f5003d92fde5e9a7 | — | |
hash36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b | — | |
hash40a0d0ee76b72202b63301a64c948acb3a4da8bac4671c7b7014a6f1e7841bd2 | — | |
hash5aa684e90dd0b85f41383efe89dddb2d43ecbdaf9c1d52c40a2fdf037fb40138 | — | |
hash6cff06789bf27407aa420e73123d4892a8f15cae9885ff88749fd21aa6d0e8ad | — | |
hash6d044b27cd3418bf949b3db131286c8f877a56d08c3bbb0924baf862a6d13b27 | — | |
hash6d79b32927bac8020d25aa326ddf44e7d78600714beacd473238cc0d9b5d1ccf | — | |
hash78ef67ec600045b7deb8b8ac747845119262bea1d51b2332469b1f769fb0b67d | — | |
hash8078fa156f5ab8be073ad3f616a2302f719713aac0f62599916c5084dd326060 | — | |
hash82096c2716a4de687b3a09b638e39cc7c12959bf380610d5f8f9ac9cddab64d7 | — | |
hash88de33754e96cfa883d737aea7231666c4e6d058e591ef3b566f5c13a88c0b56 | — | |
hasha393b62df62f10c5c16dd98248ee14ca92982e7ac54cb3e1c83124c3623c8c43 | — | |
hasha73c7f833a83025936c52a8f217c9793072d91346bb321552f3214efdeef59eb | — | |
hashab0b548931e3e07d466ae8598ca9cd8b10409ab23d471a7124e2e67706a314e8 | — | |
hashb056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8 | — | |
hashb95a1619d1ca37d652599b0b0a6188174c71147e9dc7fb4253959bd64c4c1e9f | — | |
hashbc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c | — | |
hashc5455c43f6a295392cf7db66c68f8c725029f88e089ed01e3de858a114f0764f | — | |
hashc6622e2900b8112e8157f923e9fcbd48889717adfe1104e07eb253f2e90d2c6a | — | |
hashd6a0763f6ef19def8a248c875fd4a5ea914737e3914641ef343fe1e51b04f858 | — | |
hashd8a7320e2056daf3ef4d479ff1bb5ce4facda67dfc705e8729aeca78d6f9ca84 | — | |
hashde570369194da3808ab3c3de8fb7ba2aac1cc67680ebdc75348b309e9a290d37 | — | |
hashe2e00fd57d177e4c90c1e6a973cae488782f73378224f54cf1284d69a88b6805 | — | |
hashed68c5a8c937cd55406c152ae4a2780bf39647f8724029f04e1dce136eb358ea | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip103.6.235.26 | — | |
ip103.6.235.78 | — | |
ip160.30.173.87 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain008php.com | — | |
domainfb88s.icu | — | |
domain404.008php.com | — | |
domain404.300bt.com | — | |
domain404.hao563.com | — | |
domain404.hzyzn.com | — | |
domain404.pyhycy.com | — | |
domain404.yyphw.com | — | |
domaincs.pyhycy.com | — | |
domainfcp.yyphw.com | — | |
domainqp.008php.com | — | |
domainsc.300bt.com | — | |
domainsl.008php.com | — | |
domainvn404.008php.com | — | |
domainwww.massnetworks.org | — | |
domainwww.victim.com | — | |
domainx404.008php.com | — |
Threat ID: 68d54f4fee8591765f469634
Added to database: 9/25/2025, 2:18:55 PM
Last enriched: 9/25/2025, 2:20:08 PM
Last updated: 9/25/2025, 10:44:53 PM
Views: 8
Related Threats
How a new PlugX variant abuses DLL search order hijacking
MediumFrom primitive crypto theft to sophisticated AI-based deception
MediumBookworm to Stately Taurus Using the Attribution Framework
MediumShai-Hulud worm infects npm packages
MediumVietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.