The ChimeraWire trojan boosts website popularity by skillfully pretending to be human
The ChimeraWire trojan is a Windows-targeting malware that artificially inflates website popularity by simulating human user behavior. It operates by controlling Google Chrome in debug mode to perform automated clicks and solve CAPTCHAs, thereby boosting search engine rankings. Distributed via multiple infection chains involving various downloaders and exploits, ChimeraWire currently focuses on click fraud but has the potential to evolve into more sophisticated operations such as form filling, web scraping, and cyber espionage. The malware employs stealth techniques to evade detection and is built on modular tools that could be repurposed for advanced malicious activities. While no known exploits are currently active in the wild, the threat poses a medium severity risk due to its potential impact on web integrity and future capabilities. European organizations involved in digital marketing, e-commerce, and web services could be targeted or indirectly affected by distorted analytics and reputational damage. Mitigation requires enhanced endpoint detection, monitoring for abnormal browser automation, and restricting debug mode usage. Countries with high internet commerce activity and advanced digital economies, such as Germany, the UK, France, and the Netherlands, are more likely to be impacted. Given the malware’s automation capabilities and stealth, the suggested severity is medium.
AI Analysis
Technical Summary
ChimeraWire is a novel trojan malware targeting Windows systems, discovered by Doctor Web experts. Its primary function is to artificially boost website popularity by simulating human interactions with websites, thereby manipulating search engine rankings. The trojan achieves this by controlling the Google Chrome browser running in debug mode, allowing it to automate user actions such as clicking on links and solving CAPTCHAs without human intervention. This automation is sophisticated, enabling the malware to bypass common detection mechanisms that look for robotic or scripted behavior. ChimeraWire is distributed through complex infection chains that involve multiple downloader trojans and exploit vectors, indicating a modular and layered attack strategy. Although its current operations focus on click fraud, the underlying architecture supports more advanced features like automated form filling, web scraping, and potentially cyber espionage activities, which could be introduced in future versions. The malware’s stealth techniques include evading sandbox detection and anti-debugging measures, making it difficult for traditional antivirus solutions to detect and remove. No specific affected software versions or patches are currently identified, and no active exploits have been reported in the wild. The malware’s use of legitimate browser debugging features for malicious purposes represents a novel abuse vector. The threat is classified as medium severity due to its potential to distort web analytics, impact digital marketing integrity, and its capacity for future expansion into more damaging cyber activities.
Potential Impact
For European organizations, ChimeraWire presents several risks. Primarily, it can distort web traffic analytics and search engine rankings, undermining the reliability of digital marketing campaigns and e-commerce performance metrics. This can lead to misguided business decisions, wasted marketing budgets, and reputational harm if fraudulent traffic is detected by partners or customers. Organizations relying heavily on online presence, such as digital marketing agencies, e-commerce platforms, and media companies, are particularly vulnerable. Additionally, the malware’s potential evolution into web scraping and cyber espionage tools could threaten the confidentiality of sensitive business data and intellectual property. The stealthy nature of ChimeraWire complicates detection, increasing the risk of prolonged undetected infections. While direct damage to system integrity or availability is currently limited, the indirect consequences on business operations and trust in digital ecosystems are significant. The medium severity reflects these combined factors, emphasizing the importance of proactive defense measures in the European digital economy.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy against ChimeraWire. First, enhance endpoint detection and response (EDR) capabilities to identify unusual browser automation activities, especially Chrome instances running in debug mode. Monitor for automated CAPTCHA solving and abnormal click patterns that deviate from typical user behavior. Restrict or audit the use of browser debugging features in corporate environments to prevent misuse. Employ network traffic analysis to detect communication with known downloader trojans or command and control servers associated with ChimeraWire infection chains. Regularly update and patch all software, even though no specific patches exist for ChimeraWire, to reduce exposure to exploitation vectors used in infection chains. Conduct user awareness training to recognize phishing or social engineering attempts that could initiate infection. Utilize threat intelligence feeds to stay informed about emerging variants and related indicators of compromise. Finally, implement strict access controls and application whitelisting to limit execution of unauthorized scripts or binaries that could facilitate malware deployment.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain
Indicators of Compromise
- hash: 09c26df025752b9ed6c3df1ed64717ee
- hash: 121883112007967088d3fcb5f5106d6b
- hash: 24a5f9ed11c73f3fee3274fc8ef55814
- hash: 25f191ca42ad3d9844e0e6b7422420db
- hash: 28eeaa26cec3a45fbf997bceac93ad41
- hash: 2a53b01b30141ee1ab32ce31f75ee822
- hash: 495f4aab3761c439b407b73a0ccc5b74
- hash: 4c6051058ab1d22451daf768dcaeea29
- hash: 5d3993838844308fd1979c90d3ccc1bd
- hash: 6eac03ff0fca651e030d8e03b8dc14ea
- hash: 86fc37cbf1b34223c7d90bf2d57e13c5
- hash: 8b211b03d865cc9aa788313b8287e37b
- hash: 9961986378873f1de087bb4554412cd5
- hash: a172ea892aecbec4c9ecdd40e2a912f1
- hash: a468208929b1669aa20e7eacd6bbb33d
- hash: bd069433112943cd86d3981c42f4ab8e
- hash: d9f5ab0c58543315d511830de97f6640
- hash: de24ef8237208f8162907874f1952a17
- hash: ea75aba2baa57b47629d3acc4758bc23
- hash: ed8e3539c0a425929761158c540d8a55
- hash: edbc40b077886a624e6083f8f1cf1ad8
- hash: fc3cc6cf464a78d8b6fd9c53e96d92da
- hash: 054b9e9a9b76eccbce00e8f4d249a8e93f178f3c
- hash: 0d9224ec897d4d20700a9de5443b31811c99b973
- hash: 1e010f4637284da7c2c6ac9a8fb2b1bdec8f2abf
- hash: 231ebce457fb9c1ea23678e25b3b62b942febb7d
- hash: 2728a59e8ededa1d9d2d24ea37e3d87e1be9dd85
- hash: 370e410383244c9f1ff75acb4d0dfbef29b483f6
- hash: 477902f5b2934086def7319fc40662d3e603616b
- hash: 5011e937851f3c4ecbd540d89a5dffd52922dfff
- hash: 684fa80fc7173bb7704d861cd410e4a851305f0d
- hash: 71f9af933330a08e05fa99e21f1d3684299f159f
- hash: 7332fdb6e9b34e1d3dfb94a53272d1b3b6415333
- hash: 752cbf3b0a18831b1ee02c8850517c695ddda98e
- hash: 85d5f01e68924e49459b6cc1ccceb74daa03bfbd
- hash: 8badce03b976fa1a4a3ab1b73ce6e158daf35b2a
- hash: 9468b3c9b59cb485df6f363b8077abf7a6bbae2a
- hash: 993fc928f3f3a4bd6f356d2c567548dcedeef89b
- hash: a5207352be07557960240014ebbc6401c31110c1
- hash: b49423f5eebfa3c969992c1e5181e40f14255283
- hash: ce591bd31bee720dd0ee631f7be63904255a664b
- hash: d56f4ee28e2545b087972b86507843c6a7836b6d
- hash: e70a41a6ac176e0173f3769de127c704fb0d3239
- hash: eb76a4c01f744cd357f6456526d379dc4653a20a
- hash: f4ec358ae772d954b661dc9c7f5e4940a2c733e2
- hash: fb889b6fb1a05854ddab3dc056a4be6a6129c8b0
- hash: 01203624d98880cdb1264c0452730dc87f1b0a8da14ec9b276c84c6e1b484898
- hash: 01315bf33ae4d6ddce5aa244e0effacad319d41fe6e178765e887b00633d3e48
- hash: 048b30fe1398dcda4be66a564e2d48b73d82e133e36b76ae5d246055a2c0cf5c
- hash: 07966e47e550e36304be55a56345b3d2d4e8952aa8fcdb1ae8b468db9eabea81
- hash: 1026933cbdfe66af902ff63bf31c91eff8948d74ee9cd770f1612781d83c48a6
- hash: 16cfed311e7f7257f6289d99f78f40962781f39fe08257fc8c399b0cacbe969d
- hash: 22db57391bbe56e2f8c5c94465e4e3d61047d96b21787f2312b06b0c240b03aa
- hash: 42692d548a000df5569ea7bb556ca9e1620c40eb649c8c60468744314dae5aa9
- hash: 5230878dd9e8df70c4c89774bc147c55cfe37fe3b13e93c301faecd9193a3043
- hash: 66bdaae50d5a37b14d050672de6361a51103222ce24a0f4a0dc1afb8d682e0c8
- hash: 6c7ed5c36723092b8ad342ed2c45e41d621a46561089c9879ac7dac646aab3b5
- hash: 6c9e64cdadae9349801dfa2263891216654a5bde0fff9701bbe6e0741b9d437a
- hash: 6cfb7ba135a8f4c18d2f59869d8eacf8ee6d947426f73b69048aec20c88ac2f9
- hash: 72b3bd9e2bc8413fa374d8ded5500d88c91026987f27e388d794986980d4a3b2
- hash: 72be4ec217602f6d1ac8dcb51f8689b635a33632f7e85c4a755cb43c1b29aad6
- hash: 7d61af25a15ad18d83551b8a0b937c2895c6fd5f55aaf1b9a78388385e11d805
- hash: 8245948102e25702a0ca9362ecab0372cc14bdd175941d6895432391da4bb0df
- hash: 960b6205842de977ee945985237bea9a3b3b8cf2400e1968dda8fa3541be95dd
- hash: 9cfd466435bbbd9415c6e45e7fe95fc015cffb6966dca15d6490ee6216e54519
- hash: 9e7173cead96812ec53c75b90918c6ebfc201f4690f8503996d7fa9b28f28793
- hash: e4301e87db791b712bbd690aee4a981d547213afb7d2ce2e9932731c9734ac00
- hash: e94ec5980d1f7cc5b9ece979caf01803b6f75408ebaa83016f3071514a73d443
- ip: 79.110.49.212
- ip: 91.200.14.14
- domain: openthecahe.com
- domain: temp-xy.com
- domain: 30.openthecahe.com
- domain: down.temp-xy.com
- domain: git.temp-xy.com
- domain: logs.temp-xy.com
- domain: test.temp-xy.com
- domain: time.temp-xy.com
- domain: www.openthecahe.com
- url: https://down.temp-xy.com/code/k.txt
- url: https://down.temp-xy.com/code/s.txt
- url: https://down.temp-xy.com/update/onedrive.zip
- url: https://down.temp-xy.com/update/onedrivetwo.zip
- url: https://down.temp-xy.com/update/python3.zip
- url: https://down.temp-xy.com/zip/one.zip
- url: https://down.temp-xy.com/zip/two.zip
- domain: down.temp-xy.com
The ChimeraWire trojan boosts website popularity by skillfully pretending to be human
Description
The ChimeraWire trojan is a Windows-targeting malware that artificially inflates website popularity by simulating human user behavior. It operates by controlling Google Chrome in debug mode to perform automated clicks and solve CAPTCHAs, thereby boosting search engine rankings. Distributed via multiple infection chains involving various downloaders and exploits, ChimeraWire currently focuses on click fraud but has the potential to evolve into more sophisticated operations such as form filling, web scraping, and cyber espionage. The malware employs stealth techniques to evade detection and is built on modular tools that could be repurposed for advanced malicious activities. While no known exploits are currently active in the wild, the threat poses a medium severity risk due to its potential impact on web integrity and future capabilities. European organizations involved in digital marketing, e-commerce, and web services could be targeted or indirectly affected by distorted analytics and reputational damage. Mitigation requires enhanced endpoint detection, monitoring for abnormal browser automation, and restricting debug mode usage. Countries with high internet commerce activity and advanced digital economies, such as Germany, the UK, France, and the Netherlands, are more likely to be impacted. Given the malware’s automation capabilities and stealth, the suggested severity is medium.
AI-Powered Analysis
Technical Analysis
ChimeraWire is a novel trojan malware targeting Windows systems, discovered by Doctor Web experts. Its primary function is to artificially boost website popularity by simulating human interactions with websites, thereby manipulating search engine rankings. The trojan achieves this by controlling the Google Chrome browser running in debug mode, allowing it to automate user actions such as clicking on links and solving CAPTCHAs without human intervention. This automation is sophisticated, enabling the malware to bypass common detection mechanisms that look for robotic or scripted behavior. ChimeraWire is distributed through complex infection chains that involve multiple downloader trojans and exploit vectors, indicating a modular and layered attack strategy. Although its current operations focus on click fraud, the underlying architecture supports more advanced features like automated form filling, web scraping, and potentially cyber espionage activities, which could be introduced in future versions. The malware’s stealth techniques include evading sandbox detection and anti-debugging measures, making it difficult for traditional antivirus solutions to detect and remove. No specific affected software versions or patches are currently identified, and no active exploits have been reported in the wild. The malware’s use of legitimate browser debugging features for malicious purposes represents a novel abuse vector. The threat is classified as medium severity due to its potential to distort web analytics, impact digital marketing integrity, and its capacity for future expansion into more damaging cyber activities.
Potential Impact
For European organizations, ChimeraWire presents several risks. Primarily, it can distort web traffic analytics and search engine rankings, undermining the reliability of digital marketing campaigns and e-commerce performance metrics. This can lead to misguided business decisions, wasted marketing budgets, and reputational harm if fraudulent traffic is detected by partners or customers. Organizations relying heavily on online presence, such as digital marketing agencies, e-commerce platforms, and media companies, are particularly vulnerable. Additionally, the malware’s potential evolution into web scraping and cyber espionage tools could threaten the confidentiality of sensitive business data and intellectual property. The stealthy nature of ChimeraWire complicates detection, increasing the risk of prolonged undetected infections. While direct damage to system integrity or availability is currently limited, the indirect consequences on business operations and trust in digital ecosystems are significant. The medium severity reflects these combined factors, emphasizing the importance of proactive defense measures in the European digital economy.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy against ChimeraWire. First, enhance endpoint detection and response (EDR) capabilities to identify unusual browser automation activities, especially Chrome instances running in debug mode. Monitor for automated CAPTCHA solving and abnormal click patterns that deviate from typical user behavior. Restrict or audit the use of browser debugging features in corporate environments to prevent misuse. Employ network traffic analysis to detect communication with known downloader trojans or command and control servers associated with ChimeraWire infection chains. Regularly update and patch all software, even though no specific patches exist for ChimeraWire, to reduce exposure to exploitation vectors used in infection chains. Conduct user awareness training to recognize phishing or social engineering attempts that could initiate infection. Utilize threat intelligence feeds to stay informed about emerging variants and related indicators of compromise. Finally, implement strict access controls and application whitelisting to limit execution of unauthorized scripts or binaries that could facilitate malware deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://news.drweb.com/show/?i=15090&lng=en&c=5"]
- Adversary
- null
- Pulse Id
- 693940a1faa6909adf5a414c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash09c26df025752b9ed6c3df1ed64717ee | MD5 of 1e010f4637284da7c2c6ac9a8fb2b1bdec8f2abf | |
hash121883112007967088d3fcb5f5106d6b | MD5 of a5207352be07557960240014ebbc6401c31110c1 | |
hash24a5f9ed11c73f3fee3274fc8ef55814 | MD5 of ce591bd31bee720dd0ee631f7be63904255a664b | |
hash25f191ca42ad3d9844e0e6b7422420db | MD5 of 993fc928f3f3a4bd6f356d2c567548dcedeef89b | |
hash28eeaa26cec3a45fbf997bceac93ad41 | MD5 of 370e410383244c9f1ff75acb4d0dfbef29b483f6 | |
hash2a53b01b30141ee1ab32ce31f75ee822 | MD5 of 477902f5b2934086def7319fc40662d3e603616b | |
hash495f4aab3761c439b407b73a0ccc5b74 | MD5 of 054b9e9a9b76eccbce00e8f4d249a8e93f178f3c | |
hash4c6051058ab1d22451daf768dcaeea29 | MD5 of 7332fdb6e9b34e1d3dfb94a53272d1b3b6415333 | |
hash5d3993838844308fd1979c90d3ccc1bd | MD5 of d56f4ee28e2545b087972b86507843c6a7836b6d | |
hash6eac03ff0fca651e030d8e03b8dc14ea | MD5 of e70a41a6ac176e0173f3769de127c704fb0d3239 | |
hash86fc37cbf1b34223c7d90bf2d57e13c5 | MD5 of 5011e937851f3c4ecbd540d89a5dffd52922dfff | |
hash8b211b03d865cc9aa788313b8287e37b | MD5 of 8badce03b976fa1a4a3ab1b73ce6e158daf35b2a | |
hash9961986378873f1de087bb4554412cd5 | MD5 of f4ec358ae772d954b661dc9c7f5e4940a2c733e2 | |
hasha172ea892aecbec4c9ecdd40e2a912f1 | MD5 of 85d5f01e68924e49459b6cc1ccceb74daa03bfbd | |
hasha468208929b1669aa20e7eacd6bbb33d | MD5 of 231ebce457fb9c1ea23678e25b3b62b942febb7d | |
hashbd069433112943cd86d3981c42f4ab8e | MD5 of 71f9af933330a08e05fa99e21f1d3684299f159f | |
hashd9f5ab0c58543315d511830de97f6640 | MD5 of fb889b6fb1a05854ddab3dc056a4be6a6129c8b0 | |
hashde24ef8237208f8162907874f1952a17 | MD5 of b49423f5eebfa3c969992c1e5181e40f14255283 | |
hashea75aba2baa57b47629d3acc4758bc23 | MD5 of 752cbf3b0a18831b1ee02c8850517c695ddda98e | |
hashed8e3539c0a425929761158c540d8a55 | MD5 of 2728a59e8ededa1d9d2d24ea37e3d87e1be9dd85 | |
hashedbc40b077886a624e6083f8f1cf1ad8 | MD5 of eb76a4c01f744cd357f6456526d379dc4653a20a | |
hashfc3cc6cf464a78d8b6fd9c53e96d92da | MD5 of 0d9224ec897d4d20700a9de5443b31811c99b973 | |
hash054b9e9a9b76eccbce00e8f4d249a8e93f178f3c | — | |
hash0d9224ec897d4d20700a9de5443b31811c99b973 | — | |
hash1e010f4637284da7c2c6ac9a8fb2b1bdec8f2abf | — | |
hash231ebce457fb9c1ea23678e25b3b62b942febb7d | — | |
hash2728a59e8ededa1d9d2d24ea37e3d87e1be9dd85 | — | |
hash370e410383244c9f1ff75acb4d0dfbef29b483f6 | — | |
hash477902f5b2934086def7319fc40662d3e603616b | — | |
hash5011e937851f3c4ecbd540d89a5dffd52922dfff | — | |
hash684fa80fc7173bb7704d861cd410e4a851305f0d | — | |
hash71f9af933330a08e05fa99e21f1d3684299f159f | — | |
hash7332fdb6e9b34e1d3dfb94a53272d1b3b6415333 | — | |
hash752cbf3b0a18831b1ee02c8850517c695ddda98e | — | |
hash85d5f01e68924e49459b6cc1ccceb74daa03bfbd | — | |
hash8badce03b976fa1a4a3ab1b73ce6e158daf35b2a | — | |
hash9468b3c9b59cb485df6f363b8077abf7a6bbae2a | — | |
hash993fc928f3f3a4bd6f356d2c567548dcedeef89b | — | |
hasha5207352be07557960240014ebbc6401c31110c1 | — | |
hashb49423f5eebfa3c969992c1e5181e40f14255283 | — | |
hashce591bd31bee720dd0ee631f7be63904255a664b | — | |
hashd56f4ee28e2545b087972b86507843c6a7836b6d | — | |
hashe70a41a6ac176e0173f3769de127c704fb0d3239 | — | |
hasheb76a4c01f744cd357f6456526d379dc4653a20a | — | |
hashf4ec358ae772d954b661dc9c7f5e4940a2c733e2 | — | |
hashfb889b6fb1a05854ddab3dc056a4be6a6129c8b0 | — | |
hash01203624d98880cdb1264c0452730dc87f1b0a8da14ec9b276c84c6e1b484898 | SHA256 of 231ebce457fb9c1ea23678e25b3b62b942febb7d | |
hash01315bf33ae4d6ddce5aa244e0effacad319d41fe6e178765e887b00633d3e48 | SHA256 of 7332fdb6e9b34e1d3dfb94a53272d1b3b6415333 | |
hash048b30fe1398dcda4be66a564e2d48b73d82e133e36b76ae5d246055a2c0cf5c | SHA256 of 85d5f01e68924e49459b6cc1ccceb74daa03bfbd | |
hash07966e47e550e36304be55a56345b3d2d4e8952aa8fcdb1ae8b468db9eabea81 | SHA256 of a5207352be07557960240014ebbc6401c31110c1 | |
hash1026933cbdfe66af902ff63bf31c91eff8948d74ee9cd770f1612781d83c48a6 | SHA256 of f4ec358ae772d954b661dc9c7f5e4940a2c733e2 | |
hash16cfed311e7f7257f6289d99f78f40962781f39fe08257fc8c399b0cacbe969d | SHA256 of b49423f5eebfa3c969992c1e5181e40f14255283 | |
hash22db57391bbe56e2f8c5c94465e4e3d61047d96b21787f2312b06b0c240b03aa | SHA256 of ce591bd31bee720dd0ee631f7be63904255a664b | |
hash42692d548a000df5569ea7bb556ca9e1620c40eb649c8c60468744314dae5aa9 | SHA256 of 2728a59e8ededa1d9d2d24ea37e3d87e1be9dd85 | |
hash5230878dd9e8df70c4c89774bc147c55cfe37fe3b13e93c301faecd9193a3043 | SHA256 of 477902f5b2934086def7319fc40662d3e603616b | |
hash66bdaae50d5a37b14d050672de6361a51103222ce24a0f4a0dc1afb8d682e0c8 | SHA256 of 993fc928f3f3a4bd6f356d2c567548dcedeef89b | |
hash6c7ed5c36723092b8ad342ed2c45e41d621a46561089c9879ac7dac646aab3b5 | SHA256 of 71f9af933330a08e05fa99e21f1d3684299f159f | |
hash6c9e64cdadae9349801dfa2263891216654a5bde0fff9701bbe6e0741b9d437a | SHA256 of eb76a4c01f744cd357f6456526d379dc4653a20a | |
hash6cfb7ba135a8f4c18d2f59869d8eacf8ee6d947426f73b69048aec20c88ac2f9 | SHA256 of 0d9224ec897d4d20700a9de5443b31811c99b973 | |
hash72b3bd9e2bc8413fa374d8ded5500d88c91026987f27e388d794986980d4a3b2 | SHA256 of 1e010f4637284da7c2c6ac9a8fb2b1bdec8f2abf | |
hash72be4ec217602f6d1ac8dcb51f8689b635a33632f7e85c4a755cb43c1b29aad6 | SHA256 of e70a41a6ac176e0173f3769de127c704fb0d3239 | |
hash7d61af25a15ad18d83551b8a0b937c2895c6fd5f55aaf1b9a78388385e11d805 | SHA256 of d56f4ee28e2545b087972b86507843c6a7836b6d | |
hash8245948102e25702a0ca9362ecab0372cc14bdd175941d6895432391da4bb0df | SHA256 of 8badce03b976fa1a4a3ab1b73ce6e158daf35b2a | |
hash960b6205842de977ee945985237bea9a3b3b8cf2400e1968dda8fa3541be95dd | SHA256 of 054b9e9a9b76eccbce00e8f4d249a8e93f178f3c | |
hash9cfd466435bbbd9415c6e45e7fe95fc015cffb6966dca15d6490ee6216e54519 | SHA256 of 5011e937851f3c4ecbd540d89a5dffd52922dfff | |
hash9e7173cead96812ec53c75b90918c6ebfc201f4690f8503996d7fa9b28f28793 | SHA256 of 752cbf3b0a18831b1ee02c8850517c695ddda98e | |
hashe4301e87db791b712bbd690aee4a981d547213afb7d2ce2e9932731c9734ac00 | SHA256 of 370e410383244c9f1ff75acb4d0dfbef29b483f6 | |
hashe94ec5980d1f7cc5b9ece979caf01803b6f75408ebaa83016f3071514a73d443 | SHA256 of fb889b6fb1a05854ddab3dc056a4be6a6129c8b0 |
Ip
| Value | Description | Copy |
|---|---|---|
ip79.110.49.212 | CC=TR ASN=AS209371 private network | |
ip91.200.14.14 | CC=UA ASN=ASNone |
Domain
| Value | Description | Copy |
|---|---|---|
domainopenthecahe.com | — | |
domaintemp-xy.com | — | |
domain30.openthecahe.com | — | |
domaindown.temp-xy.com | — | |
domaingit.temp-xy.com | — | |
domainlogs.temp-xy.com | — | |
domaintest.temp-xy.com | — | |
domaintime.temp-xy.com | — | |
domainwww.openthecahe.com | — | |
domaindown.temp-xy.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://down.temp-xy.com/code/k.txt | 9421dec904e6d8c12dc2fce3df353541a721cb69e2b27055928ac6c9f10cc47f | |
urlhttps://down.temp-xy.com/code/s.txt | 28c21c3421215b7cd9c741f795aa30cc1be6bb07bbcd65e3e1e8adda6691ffe6 | |
urlhttps://down.temp-xy.com/update/onedrive.zip | — | |
urlhttps://down.temp-xy.com/update/onedrivetwo.zip | — | |
urlhttps://down.temp-xy.com/update/python3.zip | — | |
urlhttps://down.temp-xy.com/zip/one.zip | — | |
urlhttps://down.temp-xy.com/zip/two.zip | — |
Threat ID: 693945e8681246c13df08656
Added to database: 12/10/2025, 10:05:28 AM
Last enriched: 12/10/2025, 10:21:00 AM
Last updated: 12/10/2025, 12:06:24 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New BYOVD loader behind DeadLock ransomware attack
MediumUDPGangster Campaigns Target Multiple Countries
MediumCopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits
MediumDeceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
MediumThreatFox IOCs for 2025-12-09
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.