ThreatFox IOCs for 2024-02-11
ThreatFox IOCs for 2024-02-11
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2024-02-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating that it primarily involves open-source intelligence gathering or dissemination of related indicators rather than a specific malware family or exploit. No specific affected product versions or detailed technical characteristics are provided, and no known exploits in the wild have been reported. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution activity but limited detailed analysis. The absence of concrete IOCs or technical details limits the ability to pinpoint the exact nature or behavior of the malware. The medium severity rating assigned by the source reflects a moderate risk, likely due to the potential for this malware to be used in reconnaissance or initial infection stages, which could lead to further compromise if leveraged effectively. The lack of CWE identifiers and patch links implies that this threat may not be tied to a specific vulnerability but rather represents a general malware campaign or a collection of IOCs relevant for situational awareness and defensive measures.
Potential Impact
For European organizations, the impact of this threat is currently assessed as moderate. Given the malware's classification under OSINT and the absence of known active exploits, the immediate risk to confidentiality, integrity, and availability is limited. However, the distribution score suggests that the malware or its indicators are moderately widespread, which could facilitate reconnaissance activities or serve as a precursor to more targeted attacks. European entities involved in critical infrastructure, finance, or government sectors could be indirectly impacted if threat actors use this malware to gather intelligence or establish footholds for subsequent operations. The lack of detailed technical data restricts precise impact assessment, but organizations should remain vigilant as such malware can be leveraged for lateral movement or data exfiltration once initial access is achieved.
Mitigation Recommendations
Given the limited technical specifics, mitigation should focus on enhancing detection and response capabilities tailored to OSINT-related malware campaigns. Organizations should: 1) Integrate ThreatFox IOCs and similar threat intelligence feeds into Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve early detection of related indicators. 2) Conduct regular threat hunting exercises focusing on reconnaissance and initial access techniques that may be associated with this malware. 3) Strengthen network segmentation and access controls to limit lateral movement if initial compromise occurs. 4) Educate security teams on emerging OSINT-based threats and encourage sharing of intelligence within trusted communities. 5) Maintain up-to-date endpoint protection solutions capable of behavioral analysis to detect anomalous activities that may not match known signatures. 6) Since no patches are available, emphasize proactive monitoring and incident response readiness rather than reliance on vulnerability remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 46.246.84.15
- hash: 1995
- file: 171.228.211.109
- hash: 56999
- domain: kami.shopkami.site
- domain: peces.duckdns.org
- domain: advisory-cabinetgpk.servehttp.com
- domain: awards-piacaero.servehalflife.com
- domain: awards-piacaero.servehttp.com
- domain: cap-mofagovpk.servehttp.com
- domain: cap-mofapk.servehttp.com
- domain: circular-financegov.servehalflife.com
- domain: eservice-ptclnetpk.servehttp.com
- domain: finance-govpk.serveblog.net
- domain: finance-govpk.serveftp.com
- domain: financegovpk.servehttp.com
- domain: hrmis-financegovpk.serveftp.com
- domain: mail-bafmilbd.servequake.com
- domain: mail-depogovpk.servehttp.com
- domain: mail-dgdpgovpk.servehalflife.com
- domain: mail-modgovpk.servehttp.com
- domain: mail-mofagovpk.ddns.net
- domain: mail-mofagovpk.gotdns.ch
- domain: mail-mofagovpk.myddns.me
- domain: mail-mofapk.servehttp.com
- domain: mail-scogovpk.servehalflife.com
- domain: mailhitgovpk.servehalflife.com
- domain: nanfung.servehttp.com
- domain: navy-govbd.servehttp.com
- domain: newmail-armymilbd.servehttp.com
- domain: news-ptvcompk.servehttp.com
- domain: offer-ptclnetpk.servehttp.com
- domain: offers-ptclnetpk.serveblog.net
- domain: offers-ptclnetpk.serveftp.com
- domain: offers-ptclnetpk.serveirc.com
- domain: ogdcl.servehttp.com
- domain: piac-compk.servehttp.com
- domain: portal-ptclnetpk.servehttp.com
- domain: sdmx-financegovpk.servehttp.com
- domain: sharepakistan-mofa.viewdns.net
- domain: support-ntc.servehttp.com
- domain: vibe-ptclnetpk.servehttp.com
- file: 3.67.161.133
- hash: 13977
- file: 45.95.146.13
- hash: 38241
- domain: win32avemaria.com
- domain: serenys.xyz
- url: http://193.233.132.167/enigma/index.php
- url: http://185.215.113.32/yandex/index.php
- domain: junio2023.duckdns.org
- url: http://a0905554.xsph.ru/l1nc0in.php
- file: 78.47.191.114
- hash: 80
- file: 78.47.191.114
- hash: 443
- file: 144.76.203.197
- hash: 80
- file: 78.40.116.82
- hash: 9090
- file: 68.183.86.25
- hash: 49492
- file: 120.48.101.89
- hash: 37128
- file: 117.72.35.189
- hash: 50050
- file: 159.223.77.150
- hash: 58393
- file: 101.201.224.75
- hash: 50050
- file: 20.231.208.182
- hash: 7788
- file: 124.222.234.106
- hash: 12345
- file: 1.15.248.225
- hash: 38248
- file: 74.48.158.197
- hash: 30080
- file: 1.117.117.147
- hash: 2020
- file: 120.79.154.38
- hash: 55667
- file: 208.68.36.130
- hash: 50050
- file: 175.178.83.204
- hash: 50050
- file: 101.43.2.243
- hash: 26356
- file: 31.192.235.73
- hash: 48126
- file: 8.218.137.213
- hash: 50017
- file: 106.52.244.189
- hash: 10000
- file: 149.50.211.216
- hash: 50050
- file: 43.154.39.87
- hash: 28080
- file: 47.120.50.234
- hash: 35550
- file: 132.226.123.210
- hash: 1337
- file: 18.197.239.109
- hash: 16992
- file: 3.69.115.178
- hash: 16992
- file: 3.66.38.117
- hash: 16992
- file: 3.68.171.119
- hash: 16992
- file: 45.76.46.64
- hash: 6606
- file: 91.238.181.248
- hash: 8080
- file: 193.178.147.164
- hash: 443
- file: 159.69.207.158
- hash: 443
- file: 45.61.159.30
- hash: 443
- file: 43.132.212.200
- hash: 22694
- file: 121.127.33.246
- hash: 80
- file: 5.182.36.131
- hash: 80
- file: 117.200.61.202
- hash: 445
- file: 84.155.10.84
- hash: 995
- file: 151.30.51.255
- hash: 443
- file: 160.176.66.130
- hash: 995
- file: 41.98.245.251
- hash: 443
- file: 124.220.0.201
- hash: 4849
- file: 185.193.126.155
- hash: 8888
- file: 154.9.249.116
- hash: 8888
- file: 216.118.230.118
- hash: 33452
- domain: vibe-ptclnetpk.viewdns.net
- file: 185.215.113.32
- hash: 80
- file: 193.233.132.167
- hash: 80
- url: https://104.236.71.61/s/ref=nb_sb_noss_1/926-87643065-0301867/field-keywords=time
- file: 104.236.71.61
- hash: 443
- domain: teaigame.com
- url: https://teaigame.com/game/teai_demo.exe
- url: https://78.85.17.88/pixel
- file: 18.197.239.109
- hash: 17032
- file: 3.66.38.117
- hash: 17032
- domain: sbdatabase.com
- url: http://cr13705.tw1.ru/_defaultwindows.php
- file: 85.192.32.83
- hash: 1194
- url: http://217.25.94.158/0linuxcdnpipe/windowsto/providerproton/347/auth5dumpjs/84geotemporary/vmto_processauthlongpolltraffictrackcdn.php
- url: http://139.196.191.50:8018/cx
- url: http://81.68.248.191:8021/ca
- url: http://43.251.159.58:8637/j.ad
- domain: 53d5-66-154-102-195.ngrok-free.app
- file: 45.153.230.56
- hash: 7777
- file: 3.125.209.94
- hash: 14114
- file: 5.39.43.50
- hash: 7777
- domain: ccuk.edenexit.com
- domain: winkimedia.it
- file: 94.156.69.147
- hash: 61616
- file: 94.156.71.221
- hash: 1291
- url: https://117.50.162.183/dot.gif
- file: 117.50.162.183
- hash: 443
- file: 185.237.206.77
- hash: 80
- file: 91.211.247.89
- hash: 80
- file: 193.242.211.154
- hash: 80
- url: http://61.163.138.230:45530/mozi.m
- file: 157.254.20.34
- hash: 6607
- file: 78.19.61.12
- hash: 2222
- file: 5.182.87.145
- hash: 80
- url: http://107.189.14.144:8080/ptj
- url: https://122.51.220.170/pixel
- url: http://122.51.220.170/ptj
- url: https://107.189.14.144/pixel.gif
- file: 103.186.215.56
- hash: 53
- domain: ns1.mb-testing.de
- file: 64.225.111.119
- hash: 53
- domain: dev.cabul.bbtecno.com
- domain: hom.cabul.bbtecno.com
- file: 173.212.224.123
- hash: 53
ThreatFox IOCs for 2024-02-11
Description
ThreatFox IOCs for 2024-02-11
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat identified as "ThreatFox IOCs for 2024-02-11," sourced from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. The threat is categorized under "type:osint," indicating that it primarily involves open-source intelligence gathering or dissemination of related indicators rather than a specific malware family or exploit. No specific affected product versions or detailed technical characteristics are provided, and no known exploits in the wild have been reported. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting moderate distribution activity but limited detailed analysis. The absence of concrete IOCs or technical details limits the ability to pinpoint the exact nature or behavior of the malware. The medium severity rating assigned by the source reflects a moderate risk, likely due to the potential for this malware to be used in reconnaissance or initial infection stages, which could lead to further compromise if leveraged effectively. The lack of CWE identifiers and patch links implies that this threat may not be tied to a specific vulnerability but rather represents a general malware campaign or a collection of IOCs relevant for situational awareness and defensive measures.
Potential Impact
For European organizations, the impact of this threat is currently assessed as moderate. Given the malware's classification under OSINT and the absence of known active exploits, the immediate risk to confidentiality, integrity, and availability is limited. However, the distribution score suggests that the malware or its indicators are moderately widespread, which could facilitate reconnaissance activities or serve as a precursor to more targeted attacks. European entities involved in critical infrastructure, finance, or government sectors could be indirectly impacted if threat actors use this malware to gather intelligence or establish footholds for subsequent operations. The lack of detailed technical data restricts precise impact assessment, but organizations should remain vigilant as such malware can be leveraged for lateral movement or data exfiltration once initial access is achieved.
Mitigation Recommendations
Given the limited technical specifics, mitigation should focus on enhancing detection and response capabilities tailored to OSINT-related malware campaigns. Organizations should: 1) Integrate ThreatFox IOCs and similar threat intelligence feeds into Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to improve early detection of related indicators. 2) Conduct regular threat hunting exercises focusing on reconnaissance and initial access techniques that may be associated with this malware. 3) Strengthen network segmentation and access controls to limit lateral movement if initial compromise occurs. 4) Educate security teams on emerging OSINT-based threats and encourage sharing of intelligence within trusted communities. 5) Maintain up-to-date endpoint protection solutions capable of behavioral analysis to detect anomalous activities that may not match known signatures. 6) Since no patches are available, emphasize proactive monitoring and incident response readiness rather than reliance on vulnerability remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 0eb59aad-7479-4673-baf5-77ea286970a3
- Original Timestamp
- 1707696187
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file46.246.84.15 | NjRAT botnet C2 server (confidence level: 75%) | |
file171.228.211.109 | Mirai botnet C2 server (confidence level: 75%) | |
file3.67.161.133 | NjRAT botnet C2 server (confidence level: 75%) | |
file45.95.146.13 | Mirai botnet C2 server (confidence level: 75%) | |
file78.47.191.114 | Vidar botnet C2 server (confidence level: 80%) | |
file78.47.191.114 | Vidar botnet C2 server (confidence level: 80%) | |
file144.76.203.197 | Hook botnet C2 server (confidence level: 80%) | |
file78.40.116.82 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file68.183.86.25 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file120.48.101.89 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file117.72.35.189 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file159.223.77.150 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file101.201.224.75 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file20.231.208.182 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file124.222.234.106 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file1.15.248.225 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file74.48.158.197 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file1.117.117.147 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file120.79.154.38 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file208.68.36.130 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file175.178.83.204 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file101.43.2.243 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file31.192.235.73 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file8.218.137.213 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file106.52.244.189 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file149.50.211.216 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file43.154.39.87 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file47.120.50.234 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
file132.226.123.210 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.69.115.178 | NjRAT botnet C2 server (confidence level: 100%) | |
file3.66.38.117 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.68.171.119 | NjRAT botnet C2 server (confidence level: 75%) | |
file45.76.46.64 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file91.238.181.248 | BianLian botnet C2 server (confidence level: 50%) | |
file193.178.147.164 | Havoc botnet C2 server (confidence level: 50%) | |
file159.69.207.158 | Havoc botnet C2 server (confidence level: 50%) | |
file45.61.159.30 | Havoc botnet C2 server (confidence level: 50%) | |
file43.132.212.200 | Havoc botnet C2 server (confidence level: 50%) | |
file121.127.33.246 | Havoc botnet C2 server (confidence level: 50%) | |
file5.182.36.131 | Responder botnet C2 server (confidence level: 50%) | |
file117.200.61.202 | Responder botnet C2 server (confidence level: 50%) | |
file84.155.10.84 | QakBot botnet C2 server (confidence level: 50%) | |
file151.30.51.255 | QakBot botnet C2 server (confidence level: 50%) | |
file160.176.66.130 | QakBot botnet C2 server (confidence level: 50%) | |
file41.98.245.251 | QakBot botnet C2 server (confidence level: 50%) | |
file124.220.0.201 | Unknown malware botnet C2 server (confidence level: 50%) | |
file185.193.126.155 | Unknown malware botnet C2 server (confidence level: 50%) | |
file154.9.249.116 | Unknown malware botnet C2 server (confidence level: 50%) | |
file216.118.230.118 | Unknown malware botnet C2 server (confidence level: 50%) | |
file185.215.113.32 | Amadey botnet C2 server (confidence level: 50%) | |
file193.233.132.167 | Amadey botnet C2 server (confidence level: 50%) | |
file104.236.71.61 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.197.239.109 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.66.38.117 | NjRAT botnet C2 server (confidence level: 75%) | |
file85.192.32.83 | NjRAT botnet C2 server (confidence level: 75%) | |
file45.153.230.56 | NjRAT botnet C2 server (confidence level: 75%) | |
file3.125.209.94 | NjRAT botnet C2 server (confidence level: 75%) | |
file5.39.43.50 | NjRAT botnet C2 server (confidence level: 75%) | |
file94.156.69.147 | Unknown malware botnet C2 server (confidence level: 100%) | |
file94.156.71.221 | Unknown malware botnet C2 server (confidence level: 100%) | |
file117.50.162.183 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.237.206.77 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
file91.211.247.89 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
file193.242.211.154 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
file157.254.20.34 | Deimos botnet C2 server (confidence level: 50%) | |
file78.19.61.12 | QakBot botnet C2 server (confidence level: 50%) | |
file5.182.87.145 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
file103.186.215.56 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file64.225.111.119 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file173.212.224.123 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash1995 | NjRAT botnet C2 server (confidence level: 75%) | |
hash56999 | Mirai botnet C2 server (confidence level: 75%) | |
hash13977 | NjRAT botnet C2 server (confidence level: 75%) | |
hash38241 | Mirai botnet C2 server (confidence level: 75%) | |
hash80 | Vidar botnet C2 server (confidence level: 80%) | |
hash443 | Vidar botnet C2 server (confidence level: 80%) | |
hash80 | Hook botnet C2 server (confidence level: 80%) | |
hash9090 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash49492 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash37128 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash58393 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash7788 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash12345 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash38248 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash30080 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash2020 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash55667 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash26356 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash48126 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50017 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash10000 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash28080 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash35550 | Cobalt Strike botnet C2 server (confidence level: 80%) | |
hash1337 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash16992 | NjRAT botnet C2 server (confidence level: 100%) | |
hash16992 | NjRAT botnet C2 server (confidence level: 100%) | |
hash16992 | NjRAT botnet C2 server (confidence level: 75%) | |
hash16992 | NjRAT botnet C2 server (confidence level: 75%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | BianLian botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash443 | Havoc botnet C2 server (confidence level: 50%) | |
hash22694 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Havoc botnet C2 server (confidence level: 50%) | |
hash80 | Responder botnet C2 server (confidence level: 50%) | |
hash445 | Responder botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash995 | QakBot botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 50%) | |
hash4849 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash33452 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash17032 | NjRAT botnet C2 server (confidence level: 75%) | |
hash17032 | NjRAT botnet C2 server (confidence level: 75%) | |
hash1194 | NjRAT botnet C2 server (confidence level: 75%) | |
hash7777 | NjRAT botnet C2 server (confidence level: 75%) | |
hash14114 | NjRAT botnet C2 server (confidence level: 75%) | |
hash7777 | NjRAT botnet C2 server (confidence level: 75%) | |
hash61616 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1291 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
hash80 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
hash80 | Socks5 Systemz botnet C2 server (confidence level: 100%) | |
hash6607 | Deimos botnet C2 server (confidence level: 50%) | |
hash2222 | QakBot botnet C2 server (confidence level: 50%) | |
hash80 | Meduza Stealer botnet C2 server (confidence level: 50%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainkami.shopkami.site | Mirai botnet C2 domain (confidence level: 75%) | |
domainpeces.duckdns.org | NjRAT botnet C2 domain (confidence level: 75%) | |
domainadvisory-cabinetgpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainawards-piacaero.servehalflife.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainawards-piacaero.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domaincap-mofagovpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domaincap-mofapk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domaincircular-financegov.servehalflife.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domaineservice-ptclnetpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainfinance-govpk.serveblog.net | SideWinder botnet C2 domain (confidence level: 100%) | |
domainfinance-govpk.serveftp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainfinancegovpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainhrmis-financegovpk.serveftp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-bafmilbd.servequake.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-depogovpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-dgdpgovpk.servehalflife.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-modgovpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-mofagovpk.ddns.net | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-mofagovpk.gotdns.ch | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-mofagovpk.myddns.me | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-mofapk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmail-scogovpk.servehalflife.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainmailhitgovpk.servehalflife.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainnanfung.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainnavy-govbd.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainnewmail-armymilbd.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainnews-ptvcompk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainoffer-ptclnetpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainoffers-ptclnetpk.serveblog.net | SideWinder botnet C2 domain (confidence level: 100%) | |
domainoffers-ptclnetpk.serveftp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainoffers-ptclnetpk.serveirc.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainogdcl.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainpiac-compk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainportal-ptclnetpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainsdmx-financegovpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainsharepakistan-mofa.viewdns.net | SideWinder botnet C2 domain (confidence level: 100%) | |
domainsupport-ntc.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainvibe-ptclnetpk.servehttp.com | SideWinder botnet C2 domain (confidence level: 100%) | |
domainwin32avemaria.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainserenys.xyz | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainjunio2023.duckdns.org | NjRAT botnet C2 domain (confidence level: 75%) | |
domainvibe-ptclnetpk.viewdns.net | SideWinder botnet C2 domain (confidence level: 100%) | |
domainteaigame.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainsbdatabase.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domain53d5-66-154-102-195.ngrok-free.app | Gomorrah stealer botnet C2 domain (confidence level: 50%) | |
domainccuk.edenexit.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwinkimedia.it | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainns1.mb-testing.de | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domaindev.cabul.bbtecno.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainhom.cabul.bbtecno.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://193.233.132.167/enigma/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://185.215.113.32/yandex/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://a0905554.xsph.ru/l1nc0in.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://104.236.71.61/s/ref=nb_sb_noss_1/926-87643065-0301867/field-keywords=time | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://teaigame.com/game/teai_demo.exe | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://78.85.17.88/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://cr13705.tw1.ru/_defaultwindows.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://217.25.94.158/0linuxcdnpipe/windowsto/providerproton/347/auth5dumpjs/84geotemporary/vmto_processauthlongpolltraffictrackcdn.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://139.196.191.50:8018/cx | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://81.68.248.191:8021/ca | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://43.251.159.58:8637/j.ad | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://117.50.162.183/dot.gif | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://61.163.138.230:45530/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://107.189.14.144:8080/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://122.51.220.170/pixel | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttp://122.51.220.170/ptj | Cobalt Strike botnet C2 (confidence level: 100%) | |
urlhttps://107.189.14.144/pixel.gif | Cobalt Strike botnet C2 (confidence level: 100%) |
Threat ID: 682b7ba5d3ddd8cef2e884bc
Added to database: 5/19/2025, 6:42:45 PM
Last enriched: 6/18/2025, 7:03:02 PM
Last updated: 12/2/2025, 11:57:30 AM
Views: 35
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-01
MediumNew Albiriox Android Malware Developed by Russian Cybercriminals
MediumWebinar: The "Agentic" Trojan Horse: Why the New AI Browsers War is a Nightmare for Security Teams
MediumNew Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control
MediumThreatFox IOCs for 2025-11-30
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.