ThreatFox IOCs for 2025-04-19
Severity: mediumType: malware
ThreatFox IOCs for 2025-04-19
AI Analysis
Technical Summary
The provided threat intelligence report titled "ThreatFox IOCs for 2025-04-19" pertains to a malware-related threat categorized under the "osint" product type. The report originates from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. However, the technical details and metadata indicate limited specific information about the malware itself. There are no affected versions listed, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting a low to moderate distribution but limited analytical detail. The absence of indicators and technical specifics implies that this report primarily serves as a collection or notification of IOCs rather than a detailed malware analysis. The "type:osint" tag and the "tlp:white" marking indicate that the information is openly shareable and derived from open-source intelligence. Overall, this threat appears to be a medium-severity malware-related intelligence update with limited actionable technical details at this time.
Potential Impact
Given the limited technical details and absence of known exploits in the wild, the immediate impact on European organizations is likely to be low to moderate. However, as the threat is categorized as malware and distributed through OSINT channels, there is potential for targeted or opportunistic attacks that could affect confidentiality, integrity, or availability if the malware is deployed effectively. The lack of specific affected versions or vulnerabilities suggests that the malware may be either newly identified or not yet widely exploited. European organizations relying on OSINT tools or platforms that might ingest or process such IOCs could face risks if these indicators are weaponized or if the malware targets specific infrastructure. Potential impacts include data exfiltration, system compromise, or disruption of services, but without further details, these remain speculative. The medium severity rating suggests vigilance but not immediate alarm.
Mitigation Recommendations
1. Enhance OSINT ingestion security: Organizations should validate and sandbox any IOCs or threat intelligence data before integrating them into security monitoring tools to prevent accidental execution or compromise. 2. Monitor threat intelligence feeds: Continuously track updates from ThreatFox and similar platforms for additional context or emerging indicators related to this malware. 3. Strengthen endpoint detection and response (EDR): Deploy and tune EDR solutions to detect anomalous behaviors potentially linked to new or unknown malware. 4. Conduct regular threat hunting: Proactively search for signs of compromise related to the reported IOCs, even if none are currently known. 5. Employee awareness and training: Educate staff on the risks of malware and the importance of cautious handling of OSINT data and suspicious files. 6. Network segmentation and least privilege: Limit the potential spread of malware by segmenting critical systems and enforcing strict access controls. 7. Incident response readiness: Prepare and test incident response plans to quickly address any future detections related to this threat. These measures go beyond generic advice by focusing on the safe handling of OSINT data and proactive detection strategies tailored to the nature of this intelligence.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- domain: check.saguf.icu
- file: 194.59.31.74
- hash: 17527
- file: 196.251.88.99
- hash: 2404
- file: 62.60.226.101
- hash: 40106
- file: 45.94.31.80
- hash: 2404
- file: 192.177.111.67
- hash: 2404
- file: 197.224.236.164
- hash: 7443
- file: 162.250.124.62
- hash: 8080
- file: 111.229.202.115
- hash: 8083
- file: 171.227.30.106
- hash: 8000
- file: 35.179.100.140
- hash: 10261
- file: 35.78.171.69
- hash: 1963
- file: 18.222.12.121
- hash: 103
- file: 18.222.12.121
- hash: 2003
- file: 18.222.12.121
- hash: 34203
- file: 196.251.80.109
- hash: 80
- file: 176.65.144.18
- hash: 69
- domain: ht.bzmajiang.cn
- domain: www.x6se.buzz
- file: 209.141.33.93
- hash: 5538
- file: 45.79.145.180
- hash: 31337
- domain: ec2-16-163-161-107.ap-east-1.compute.amazonaws.com
- file: 196.251.116.201
- hash: 2007
- file: 196.251.69.26
- hash: 222
- file: 2.56.245.216
- hash: 4608
- file: 171.227.30.106
- hash: 5000
- file: 20.240.184.170
- hash: 80
- file: 147.135.209.16
- hash: 4433
- file: 147.135.209.16
- hash: 8081
- file: 13.203.232.69
- hash: 2052
- file: 52.91.218.1
- hash: 101
- file: 81.70.202.246
- hash: 60000
- file: 52.212.98.5
- hash: 443
- file: 130.61.248.49
- hash: 6666
- file: 152.53.130.64
- hash: 3333
- file: 23.94.212.181
- hash: 443
- file: 47.113.227.68
- hash: 9205
- file: 3.110.28.213
- hash: 3333
- file: 103.150.92.3
- hash: 3333
- file: 3.18.121.82
- hash: 8443
- file: 208.40.7.3
- hash: 3333
- file: 120.26.235.70
- hash: 3333
- file: 51.159.187.214
- hash: 3615
- file: 80.71.149.20
- hash: 3333
- file: 106.15.227.21
- hash: 7000
- file: 100.26.43.242
- hash: 8888
- file: 3.104.57.100
- hash: 443
- file: 209.182.239.173
- hash: 4433
- file: 43.133.72.43
- hash: 443
- file: 54.159.118.2
- hash: 443
- file: 95.169.25.146
- hash: 50050
- file: 173.249.24.35
- hash: 31337
- file: 45.76.156.251
- hash: 31337
- file: 137.184.239.125
- hash: 31337
- file: 103.68.251.141
- hash: 8869
- file: 35.178.244.216
- hash: 873
- file: 222.89.70.13
- hash: 9088
- file: 149.210.62.42
- hash: 443
- url: http://10.99.1.101/en-us/supershell/login/auth
- url: https://quicklinks-online.com/
- url: http://141.164.61.168
- domain: lynmor.com
- domain: grrlspace.com
- domain: reddit.co.im
- domain: futuristx.live
- domain: synmedsp.live
- domain: four-meme.dev
- domain: 9xuj2tcnm.localto.net
- domain: go.gets-it.net
- file: 188.240.81.233
- hash: 3131
- domain: rhymers.duckdns.org
- file: 38.102.9.64
- hash: 23074
- file: 45.88.91.214
- hash: 4500
- url: https://pastebin.com/raw/9hzqgnjr
- domain: although-cholesterol.gl.at.ply.gg
- domain: interface-owners.gl.at.ply.gg
- domain: match-charity.gl.at.ply.gg
- domain: o-sufficient.gl.at.ply.gg
- url: http://182.124.109.206:54689/mozi.m
- url: https://fstarofliught.top/wozd
- file: 121.43.160.89
- hash: 10001
- file: 139.9.61.175
- hash: 8443
- file: 47.86.107.151
- hash: 80
- file: 176.113.82.51
- hash: 443
- file: 104.168.57.116
- hash: 9999
- file: 106.75.12.246
- hash: 81
- file: 23.94.54.13
- hash: 8443
- file: 148.135.90.11
- hash: 8443
- file: 198.98.57.26
- hash: 4433
- domain: check.hosam.icu
- url: https://check.hosam.icu/gkcxv.google
- file: 103.96.130.111
- hash: 80
- file: 94.140.114.150
- hash: 8080
- file: 45.45.217.148
- hash: 80
- domain: office.socalmediazone.com
- domain: account.st4b4n.fr
- file: 171.227.30.106
- hash: 6001
- file: 18.116.20.64
- hash: 4839
- file: 51.79.160.146
- hash: 808
- file: 154.201.91.52
- hash: 808
- file: 176.65.149.67
- hash: 80
- file: 106.75.215.144
- hash: 443
- file: 13.51.167.241
- hash: 9142
- domain: check.colaj.icu
- url: https://check.colaj.icu/gkcxv.google
- file: 71.187.100.156
- hash: 2222
- file: 91.92.46.42
- hash: 80
- url: http://lumbersmile.icu/apri.php
- url: http://lumbersmile.icu/apr.php
- domain: lumbersmile.icu
- url: https://4asalaccgfa.top/gsooz
- domain: check.wewum.icu
- url: https://check.wewum.icu/gkcxv.google
- file: 196.251.70.239
- hash: 2404
- file: 185.38.142.128
- hash: 443
- file: 196.251.116.190
- hash: 4507
- file: 35.220.140.248
- hash: 8443
- file: 123.57.20.184
- hash: 8888
- file: 163.5.210.172
- hash: 8808
- file: 81.17.24.234
- hash: 6606
- file: 163.172.125.253
- hash: 300
- file: 195.10.205.179
- hash: 8089
- file: 77.110.106.151
- hash: 8089
- file: 196.251.87.16
- hash: 80
- file: 45.45.217.148
- hash: 8089
- file: 206.166.251.139
- hash: 443
- file: 188.166.174.146
- hash: 8080
- file: 188.166.174.146
- hash: 443
- file: 156.253.227.252
- hash: 80
- url: http://103.48.64.50:38680/mozi.m
- url: http://117.209.117.141:55381/mozi.m
- url: http://102.33.34.151:35209/mozi.m
- domain: 4gjhr5qxhyaj1.cfc-execute.bj.baidubce.com
- domain: yyds.chinaunciom.sbs
- file: 111.230.161.5
- hash: 8080
- file: 119.91.246.70
- hash: 443
- file: 134.175.159.214
- hash: 8080
- file: 176.113.82.51
- hash: 80
- file: 36.41.71.241
- hash: 2086
- url: http://185.208.158.182:8090/pages/login.php
- file: 45.83.207.17
- hash: 6522
- file: 88.214.48.65
- hash: 423
- file: 88.214.48.65
- hash: 417
- file: 88.214.48.65
- hash: 428
- file: 88.214.48.66
- hash: 416
- file: 88.214.48.66
- hash: 430
- file: 88.214.48.64
- hash: 424
- file: 88.214.48.64
- hash: 418
- file: 88.214.48.65
- hash: 425
- file: 88.214.48.65
- hash: 419
- file: 88.214.48.66
- hash: 421
- file: 88.214.48.65
- hash: 416
- file: 88.214.48.64
- hash: 426
- file: 88.214.48.65
- hash: 431
- file: 88.214.48.65
- hash: 424
- file: 47.116.34.88
- hash: 9000
- file: 118.31.118.190
- hash: 80
- file: 192.142.0.149
- hash: 80
- file: 62.60.226.21
- hash: 40106
- file: 31.220.81.57
- hash: 2404
- file: 196.251.116.190
- hash: 2404
- file: 185.165.170.222
- hash: 2404
- file: 196.251.116.158
- hash: 4507
- file: 144.91.103.204
- hash: 31337
- file: 64.52.80.67
- hash: 443
- file: 89.40.31.130
- hash: 1010
- file: 128.90.106.203
- hash: 8808
- domain: auth.echelonai.world
- file: 77.110.106.151
- hash: 80
- file: 192.153.57.203
- hash: 8080
- file: 185.177.239.155
- hash: 443
- file: 171.227.30.106
- hash: 6000
- file: 54.219.14.165
- hash: 2628
- file: 217.114.43.122
- hash: 4000
- url: https://check.pejel.icu/gkcxv.google
- file: 4.227.206.117
- hash: 443
- file: 101.200.76.102
- hash: 8080
- file: 179.43.186.234
- hash: 443
- file: 45.88.186.113
- hash: 8808
- file: 188.166.174.146
- hash: 80
- file: 198.135.50.66
- hash: 4449
- file: 93.198.178.131
- hash: 81
- file: 66.63.187.82
- hash: 80
- file: 118.161.8.213
- hash: 443
- file: 163.181.143.92
- hash: 4506
- file: 50.106.3.62
- hash: 995
- domain: mail1.lasthit.store
- domain: mail2.lasthit.store
- file: 172.104.60.134
- hash: 53
- url: https://8salaccgfa.top/gsooz
- domain: api.googleshop.xyz
- file: 152.136.17.91
- hash: 9999
- file: 179.43.186.234
- hash: 80
- file: 198.98.57.26
- hash: 8443
ThreatFox IOCs for 2025-04-19
Medium
Published: Sat Apr 19 2025 (04/19/2025, 00:00:00 UTC)
Source: ThreatFox
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2025-04-19
AI-Powered Analysis
AILast updated: 06/18/2025, 08:06:04 UTC
Technical Analysis
The provided threat intelligence report titled "ThreatFox IOCs for 2025-04-19" pertains to a malware-related threat categorized under the "osint" product type. The report originates from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence data. However, the technical details and metadata indicate limited specific information about the malware itself. There are no affected versions listed, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution scores of 1 and 3 respectively, suggesting a low to moderate distribution but limited analytical detail. The absence of indicators and technical specifics implies that this report primarily serves as a collection or notification of IOCs rather than a detailed malware analysis. The "type:osint" tag and the "tlp:white" marking indicate that the information is openly shareable and derived from open-source intelligence. Overall, this threat appears to be a medium-severity malware-related intelligence update with limited actionable technical details at this time.
Potential Impact
Given the limited technical details and absence of known exploits in the wild, the immediate impact on European organizations is likely to be low to moderate. However, as the threat is categorized as malware and distributed through OSINT channels, there is potential for targeted or opportunistic attacks that could affect confidentiality, integrity, or availability if the malware is deployed effectively. The lack of specific affected versions or vulnerabilities suggests that the malware may be either newly identified or not yet widely exploited. European organizations relying on OSINT tools or platforms that might ingest or process such IOCs could face risks if these indicators are weaponized or if the malware targets specific infrastructure. Potential impacts include data exfiltration, system compromise, or disruption of services, but without further details, these remain speculative. The medium severity rating suggests vigilance but not immediate alarm.
Mitigation Recommendations
1. Enhance OSINT ingestion security: Organizations should validate and sandbox any IOCs or threat intelligence data before integrating them into security monitoring tools to prevent accidental execution or compromise. 2. Monitor threat intelligence feeds: Continuously track updates from ThreatFox and similar platforms for additional context or emerging indicators related to this malware. 3. Strengthen endpoint detection and response (EDR): Deploy and tune EDR solutions to detect anomalous behaviors potentially linked to new or unknown malware. 4. Conduct regular threat hunting: Proactively search for signs of compromise related to the reported IOCs, even if none are currently known. 5. Employee awareness and training: Educate staff on the risks of malware and the importance of cautious handling of OSINT data and suspicious files. 6. Network segmentation and least privilege: Limit the potential spread of malware by segmenting critical systems and enforcing strict access controls. 7. Incident response readiness: Prepare and test incident response plans to quickly address any future detections related to this threat. These measures go beyond generic advice by focusing on the safe handling of OSINT data and proactive detection strategies tailored to the nature of this intelligence.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f9c9b7e2-7a1a-41b1-8ba7-b4c9b0e1c634
- Original Timestamp
- 1745107387
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincheck.saguf.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainht.bzmajiang.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.x6se.buzz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainec2-16-163-161-107.ap-east-1.compute.amazonaws.com | ShadowPad botnet C2 domain (confidence level: 90%) | |
domainlynmor.com | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domaingrrlspace.com | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domainreddit.co.im | Unknown malware payload delivery domain (confidence level: 50%) | |
domainfuturistx.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainsynmedsp.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainfour-meme.dev | Unknown malware payload delivery domain (confidence level: 50%) | |
domain9xuj2tcnm.localto.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domaingo.gets-it.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainrhymers.duckdns.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainalthough-cholesterol.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaininterface-owners.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainmatch-charity.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaino-sufficient.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaincheck.hosam.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainoffice.socalmediazone.com | Hook botnet C2 domain (confidence level: 100%) | |
domainaccount.st4b4n.fr | Havoc botnet C2 domain (confidence level: 100%) | |
domaincheck.colaj.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainlumbersmile.icu | Unknown Loader botnet C2 domain (confidence level: 100%) | |
domaincheck.wewum.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domain4gjhr5qxhyaj1.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainyyds.chinaunciom.sbs | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainauth.echelonai.world | Hook botnet C2 domain (confidence level: 100%) | |
domainmail1.lasthit.store | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainmail2.lasthit.store | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainapi.googleshop.xyz | Cobalt Strike botnet C2 domain (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file194.59.31.74 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.88.99 | Remcos botnet C2 server (confidence level: 100%) | |
file62.60.226.101 | Remcos botnet C2 server (confidence level: 100%) | |
file45.94.31.80 | Remcos botnet C2 server (confidence level: 100%) | |
file192.177.111.67 | Remcos botnet C2 server (confidence level: 100%) | |
file197.224.236.164 | Unknown malware botnet C2 server (confidence level: 100%) | |
file162.250.124.62 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file111.229.202.115 | Havoc botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file35.179.100.140 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file35.78.171.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file196.251.80.109 | XWorm botnet C2 server (confidence level: 100%) | |
file176.65.144.18 | Bashlite botnet C2 server (confidence level: 75%) | |
file209.141.33.93 | Mirai botnet C2 server (confidence level: 75%) | |
file45.79.145.180 | Sliver botnet C2 server (confidence level: 90%) | |
file196.251.116.201 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.69.26 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file2.56.245.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file20.240.184.170 | ERMAC botnet C2 server (confidence level: 100%) | |
file147.135.209.16 | Unknown malware botnet C2 server (confidence level: 100%) | |
file147.135.209.16 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.203.232.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file52.91.218.1 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file81.70.202.246 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.212.98.5 | Unknown malware botnet C2 server (confidence level: 100%) | |
file130.61.248.49 | Unknown malware botnet C2 server (confidence level: 100%) | |
file152.53.130.64 | Unknown malware botnet C2 server (confidence level: 100%) | |
file23.94.212.181 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.113.227.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.110.28.213 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.150.92.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.18.121.82 | Unknown malware botnet C2 server (confidence level: 100%) | |
file208.40.7.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file120.26.235.70 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.159.187.214 | Unknown malware botnet C2 server (confidence level: 100%) | |
file80.71.149.20 | Unknown malware botnet C2 server (confidence level: 100%) | |
file106.15.227.21 | Unknown malware botnet C2 server (confidence level: 100%) | |
file100.26.43.242 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.104.57.100 | Unknown malware botnet C2 server (confidence level: 100%) | |
file209.182.239.173 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file43.133.72.43 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file54.159.118.2 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file95.169.25.146 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file173.249.24.35 | Sliver botnet C2 server (confidence level: 50%) | |
file45.76.156.251 | Sliver botnet C2 server (confidence level: 50%) | |
file137.184.239.125 | Sliver botnet C2 server (confidence level: 50%) | |
file103.68.251.141 | DarkComet botnet C2 server (confidence level: 50%) | |
file35.178.244.216 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file222.89.70.13 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file149.210.62.42 | Ghost RAT botnet C2 server (confidence level: 50%) | |
file188.240.81.233 | AsyncRAT botnet C2 server (confidence level: 50%) | |
file38.102.9.64 | Remcos botnet C2 server (confidence level: 50%) | |
file45.88.91.214 | Remcos botnet C2 server (confidence level: 50%) | |
file121.43.160.89 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.9.61.175 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.86.107.151 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.113.82.51 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.168.57.116 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.75.12.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.94.54.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file148.135.90.11 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.98.57.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.96.130.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.140.114.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.45.217.148 | Hook botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file18.116.20.64 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file51.79.160.146 | Kaiji botnet C2 server (confidence level: 100%) | |
file154.201.91.52 | Kaiji botnet C2 server (confidence level: 100%) | |
file176.65.149.67 | MooBot botnet C2 server (confidence level: 100%) | |
file106.75.215.144 | Sliver botnet C2 server (confidence level: 75%) | |
file13.51.167.241 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
file71.187.100.156 | QakBot botnet C2 server (confidence level: 75%) | |
file91.92.46.42 | Stealc botnet C2 server (confidence level: 100%) | |
file196.251.70.239 | Remcos botnet C2 server (confidence level: 100%) | |
file185.38.142.128 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.190 | Remcos botnet C2 server (confidence level: 100%) | |
file35.220.140.248 | pupy botnet C2 server (confidence level: 100%) | |
file123.57.20.184 | Unknown malware botnet C2 server (confidence level: 100%) | |
file163.5.210.172 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file81.17.24.234 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file163.172.125.253 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file195.10.205.179 | Hook botnet C2 server (confidence level: 100%) | |
file77.110.106.151 | Hook botnet C2 server (confidence level: 100%) | |
file196.251.87.16 | Hook botnet C2 server (confidence level: 100%) | |
file45.45.217.148 | Hook botnet C2 server (confidence level: 100%) | |
file206.166.251.139 | Havoc botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file156.253.227.252 | MooBot botnet C2 server (confidence level: 100%) | |
file111.230.161.5 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file119.91.246.70 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file134.175.159.214 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file176.113.82.51 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file36.41.71.241 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file45.83.207.17 | NjRAT botnet C2 server (confidence level: 75%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file47.116.34.88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.31.118.190 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.142.0.149 | Remcos botnet C2 server (confidence level: 100%) | |
file62.60.226.21 | Remcos botnet C2 server (confidence level: 100%) | |
file31.220.81.57 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.190 | Remcos botnet C2 server (confidence level: 100%) | |
file185.165.170.222 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.158 | Remcos botnet C2 server (confidence level: 100%) | |
file144.91.103.204 | Sliver botnet C2 server (confidence level: 100%) | |
file64.52.80.67 | Sliver botnet C2 server (confidence level: 100%) | |
file89.40.31.130 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file128.90.106.203 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file77.110.106.151 | Hook botnet C2 server (confidence level: 100%) | |
file192.153.57.203 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file185.177.239.155 | Havoc botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file54.219.14.165 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file217.114.43.122 | Unknown malware botnet C2 server (confidence level: 100%) | |
file4.227.206.117 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.200.76.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file179.43.186.234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.88.186.113 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file198.135.50.66 | Venom RAT botnet C2 server (confidence level: 100%) | |
file93.198.178.131 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file66.63.187.82 | Bashlite botnet C2 server (confidence level: 100%) | |
file118.161.8.213 | QakBot botnet C2 server (confidence level: 75%) | |
file163.181.143.92 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file50.106.3.62 | QakBot botnet C2 server (confidence level: 75%) | |
file172.104.60.134 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file152.136.17.91 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file179.43.186.234 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file198.98.57.26 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash17527 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash40106 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8083 | Havoc botnet C2 server (confidence level: 100%) | |
hash8000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash10261 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1963 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash103 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash2003 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash34203 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | XWorm botnet C2 server (confidence level: 100%) | |
hash69 | Bashlite botnet C2 server (confidence level: 75%) | |
hash5538 | Mirai botnet C2 server (confidence level: 75%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash2007 | Remcos botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4608 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash80 | ERMAC botnet C2 server (confidence level: 100%) | |
hash4433 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8081 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2052 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash101 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash6666 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash9205 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3615 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8869 | DarkComet botnet C2 server (confidence level: 50%) | |
hash873 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash9088 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash443 | Ghost RAT botnet C2 server (confidence level: 50%) | |
hash3131 | AsyncRAT botnet C2 server (confidence level: 50%) | |
hash23074 | Remcos botnet C2 server (confidence level: 50%) | |
hash4500 | Remcos botnet C2 server (confidence level: 50%) | |
hash10001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash6001 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash4839 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash808 | Kaiji botnet C2 server (confidence level: 100%) | |
hash808 | Kaiji botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 75%) | |
hash9142 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
hash2222 | QakBot botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Remcos botnet C2 server (confidence level: 100%) | |
hash4507 | Remcos botnet C2 server (confidence level: 100%) | |
hash8443 | pupy botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash300 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash8080 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2086 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash6522 | NjRAT botnet C2 server (confidence level: 75%) | |
hash423 | Tofsee botnet C2 server (confidence level: 100%) | |
hash417 | Tofsee botnet C2 server (confidence level: 100%) | |
hash428 | Tofsee botnet C2 server (confidence level: 100%) | |
hash416 | Tofsee botnet C2 server (confidence level: 100%) | |
hash430 | Tofsee botnet C2 server (confidence level: 100%) | |
hash424 | Tofsee botnet C2 server (confidence level: 100%) | |
hash418 | Tofsee botnet C2 server (confidence level: 100%) | |
hash425 | Tofsee botnet C2 server (confidence level: 100%) | |
hash419 | Tofsee botnet C2 server (confidence level: 100%) | |
hash421 | Tofsee botnet C2 server (confidence level: 100%) | |
hash416 | Tofsee botnet C2 server (confidence level: 100%) | |
hash426 | Tofsee botnet C2 server (confidence level: 100%) | |
hash431 | Tofsee botnet C2 server (confidence level: 100%) | |
hash424 | Tofsee botnet C2 server (confidence level: 100%) | |
hash9000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) | |
hash40106 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash4507 | Remcos botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash1010 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash6000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash2628 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash81 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://10.99.1.101/en-us/supershell/login/auth | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttps://quicklinks-online.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttp://141.164.61.168 | Kimsuky botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/9hzqgnjr | XWorm botnet C2 (confidence level: 50%) | |
urlhttp://182.124.109.206:54689/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttps://fstarofliught.top/wozd | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://check.hosam.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://check.colaj.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://lumbersmile.icu/apri.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttp://lumbersmile.icu/apr.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://4asalaccgfa.top/gsooz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://check.wewum.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://103.48.64.50:38680/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://117.209.117.141:55381/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://102.33.34.151:35209/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://185.208.158.182:8090/pages/login.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://check.pejel.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://8salaccgfa.top/gsooz | Lumma Stealer botnet C2 (confidence level: 75%) |
Threat ID: 682acdc4bbaf20d303f21367
Added to database: 5/19/2025, 6:20:52 AM
Last enriched: 6/18/2025, 8:06:04 AM
Last updated: 7/26/2025, 3:30:08 PM
Views: 16
Related Threats
From ClickFix to Command: A Full PowerShell Attack Chain
MediumMalwareMon Aug 11 2025
North Korean Group ScarCruft Expands From Spying to Ransomware Attacks
MediumMalwareMon Aug 11 2025
MedusaLocker ransomware group is looking for pentesters
MediumMalwareMon Aug 11 2025
ThreatFox IOCs for 2025-08-10
MediumMalwareMon Aug 11 2025
ThreatFox IOCs for 2025-08-09
MediumMalwareSun Aug 10 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.