ThreatFox IOCs for 2025-04-19
Severity: mediumType: malware
ThreatFox IOCs for 2025-04-19
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on April 19, 2025, by the ThreatFox MISP feed. These IOCs relate to malware activity characterized primarily by OSINT (Open Source Intelligence) techniques, payload delivery mechanisms, and network activity. The data does not specify any particular malware family, affected software versions, or detailed technical exploits. Instead, it appears to be a collection of threat intelligence indicators intended to aid in detection and response efforts. The threat level is indicated as medium, with no known exploits in the wild or available patches. The absence of CWE identifiers and specific affected versions suggests this is a general threat intelligence update rather than a vulnerability in a particular product. The tags and categories emphasize the use of OSINT for threat detection and the focus on payload delivery and network behavior, which are common in malware campaigns. The technical details show moderate threat level and distribution scores, indicating some level of dissemination but not widespread or critical impact. Overall, this represents a situational awareness update for security teams to monitor and potentially incorporate into their detection systems rather than an active exploit or vulnerability requiring immediate patching.
Potential Impact
For European organizations, the impact of this threat intelligence update is primarily in enhancing situational awareness and improving detection capabilities against malware campaigns that utilize OSINT and network-based payload delivery. Since no specific exploit or vulnerability is identified, the direct risk to confidentiality, integrity, or availability is limited unless these IOCs correspond to active campaigns targeting European entities. However, failure to incorporate such threat intelligence could result in delayed detection of malware infections, leading to potential data breaches, operational disruption, or lateral movement within networks. Organizations with critical infrastructure or sensitive data could face increased risk if attackers leverage these indicators to craft targeted attacks. The medium severity suggests a moderate risk level, emphasizing the need for vigilance but not immediate crisis response.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection of related malware activity. 2. Conduct regular network traffic analysis focusing on unusual payload delivery patterns and suspicious network activity that align with the threat intelligence. 3. Train security operations teams to recognize and respond to OSINT-driven attack vectors and payload delivery tactics. 4. Maintain up-to-date threat intelligence feeds and ensure automated correlation with internal logs for timely alerts. 5. Implement network segmentation and strict access controls to limit the potential spread of malware if detected. 6. Perform regular threat hunting exercises using the IOCs to proactively identify potential compromises. 7. Collaborate with national and European cybersecurity information sharing organizations to contextualize these IOCs within broader threat trends.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- domain: check.saguf.icu
- file: 194.59.31.74
- hash: 17527
- file: 196.251.88.99
- hash: 2404
- file: 62.60.226.101
- hash: 40106
- file: 45.94.31.80
- hash: 2404
- file: 192.177.111.67
- hash: 2404
- file: 197.224.236.164
- hash: 7443
- file: 162.250.124.62
- hash: 8080
- file: 111.229.202.115
- hash: 8083
- file: 171.227.30.106
- hash: 8000
- file: 35.179.100.140
- hash: 10261
- file: 35.78.171.69
- hash: 1963
- file: 18.222.12.121
- hash: 103
- file: 18.222.12.121
- hash: 2003
- file: 18.222.12.121
- hash: 34203
- file: 196.251.80.109
- hash: 80
- file: 176.65.144.18
- hash: 69
- domain: ht.bzmajiang.cn
- domain: www.x6se.buzz
- file: 209.141.33.93
- hash: 5538
- file: 45.79.145.180
- hash: 31337
- domain: ec2-16-163-161-107.ap-east-1.compute.amazonaws.com
- file: 196.251.116.201
- hash: 2007
- file: 196.251.69.26
- hash: 222
- file: 2.56.245.216
- hash: 4608
- file: 171.227.30.106
- hash: 5000
- file: 20.240.184.170
- hash: 80
- file: 147.135.209.16
- hash: 4433
- file: 147.135.209.16
- hash: 8081
- file: 13.203.232.69
- hash: 2052
- file: 52.91.218.1
- hash: 101
- file: 81.70.202.246
- hash: 60000
- file: 52.212.98.5
- hash: 443
- file: 130.61.248.49
- hash: 6666
- file: 152.53.130.64
- hash: 3333
- file: 23.94.212.181
- hash: 443
- file: 47.113.227.68
- hash: 9205
- file: 3.110.28.213
- hash: 3333
- file: 103.150.92.3
- hash: 3333
- file: 3.18.121.82
- hash: 8443
- file: 208.40.7.3
- hash: 3333
- file: 120.26.235.70
- hash: 3333
- file: 51.159.187.214
- hash: 3615
- file: 80.71.149.20
- hash: 3333
- file: 106.15.227.21
- hash: 7000
- file: 100.26.43.242
- hash: 8888
- file: 3.104.57.100
- hash: 443
- file: 209.182.239.173
- hash: 4433
- file: 43.133.72.43
- hash: 443
- file: 54.159.118.2
- hash: 443
- file: 95.169.25.146
- hash: 50050
- file: 173.249.24.35
- hash: 31337
- file: 45.76.156.251
- hash: 31337
- file: 137.184.239.125
- hash: 31337
- file: 103.68.251.141
- hash: 8869
- file: 35.178.244.216
- hash: 873
- file: 222.89.70.13
- hash: 9088
- file: 149.210.62.42
- hash: 443
- url: http://10.99.1.101/en-us/supershell/login/auth
- url: https://quicklinks-online.com/
- url: http://141.164.61.168
- domain: lynmor.com
- domain: grrlspace.com
- domain: reddit.co.im
- domain: futuristx.live
- domain: synmedsp.live
- domain: four-meme.dev
- domain: 9xuj2tcnm.localto.net
- domain: go.gets-it.net
- file: 188.240.81.233
- hash: 3131
- domain: rhymers.duckdns.org
- file: 38.102.9.64
- hash: 23074
- file: 45.88.91.214
- hash: 4500
- url: https://pastebin.com/raw/9hzqgnjr
- domain: although-cholesterol.gl.at.ply.gg
- domain: interface-owners.gl.at.ply.gg
- domain: match-charity.gl.at.ply.gg
- domain: o-sufficient.gl.at.ply.gg
- url: http://182.124.109.206:54689/mozi.m
- url: https://fstarofliught.top/wozd
- file: 121.43.160.89
- hash: 10001
- file: 139.9.61.175
- hash: 8443
- file: 47.86.107.151
- hash: 80
- file: 176.113.82.51
- hash: 443
- file: 104.168.57.116
- hash: 9999
- file: 106.75.12.246
- hash: 81
- file: 23.94.54.13
- hash: 8443
- file: 148.135.90.11
- hash: 8443
- file: 198.98.57.26
- hash: 4433
- domain: check.hosam.icu
- url: https://check.hosam.icu/gkcxv.google
- file: 103.96.130.111
- hash: 80
- file: 94.140.114.150
- hash: 8080
- file: 45.45.217.148
- hash: 80
- domain: office.socalmediazone.com
- domain: account.st4b4n.fr
- file: 171.227.30.106
- hash: 6001
- file: 18.116.20.64
- hash: 4839
- file: 51.79.160.146
- hash: 808
- file: 154.201.91.52
- hash: 808
- file: 176.65.149.67
- hash: 80
- file: 106.75.215.144
- hash: 443
- file: 13.51.167.241
- hash: 9142
- domain: check.colaj.icu
- url: https://check.colaj.icu/gkcxv.google
- file: 71.187.100.156
- hash: 2222
- file: 91.92.46.42
- hash: 80
- url: http://lumbersmile.icu/apri.php
- url: http://lumbersmile.icu/apr.php
- domain: lumbersmile.icu
- url: https://4asalaccgfa.top/gsooz
- domain: check.wewum.icu
- url: https://check.wewum.icu/gkcxv.google
- file: 196.251.70.239
- hash: 2404
- file: 185.38.142.128
- hash: 443
- file: 196.251.116.190
- hash: 4507
- file: 35.220.140.248
- hash: 8443
- file: 123.57.20.184
- hash: 8888
- file: 163.5.210.172
- hash: 8808
- file: 81.17.24.234
- hash: 6606
- file: 163.172.125.253
- hash: 300
- file: 195.10.205.179
- hash: 8089
- file: 77.110.106.151
- hash: 8089
- file: 196.251.87.16
- hash: 80
- file: 45.45.217.148
- hash: 8089
- file: 206.166.251.139
- hash: 443
- file: 188.166.174.146
- hash: 8080
- file: 188.166.174.146
- hash: 443
- file: 156.253.227.252
- hash: 80
- url: http://103.48.64.50:38680/mozi.m
- url: http://117.209.117.141:55381/mozi.m
- url: http://102.33.34.151:35209/mozi.m
- domain: 4gjhr5qxhyaj1.cfc-execute.bj.baidubce.com
- domain: yyds.chinaunciom.sbs
- file: 111.230.161.5
- hash: 8080
- file: 119.91.246.70
- hash: 443
- file: 134.175.159.214
- hash: 8080
- file: 176.113.82.51
- hash: 80
- file: 36.41.71.241
- hash: 2086
- url: http://185.208.158.182:8090/pages/login.php
- file: 45.83.207.17
- hash: 6522
- file: 88.214.48.65
- hash: 423
- file: 88.214.48.65
- hash: 417
- file: 88.214.48.65
- hash: 428
- file: 88.214.48.66
- hash: 416
- file: 88.214.48.66
- hash: 430
- file: 88.214.48.64
- hash: 424
- file: 88.214.48.64
- hash: 418
- file: 88.214.48.65
- hash: 425
- file: 88.214.48.65
- hash: 419
- file: 88.214.48.66
- hash: 421
- file: 88.214.48.65
- hash: 416
- file: 88.214.48.64
- hash: 426
- file: 88.214.48.65
- hash: 431
- file: 88.214.48.65
- hash: 424
- file: 47.116.34.88
- hash: 9000
- file: 118.31.118.190
- hash: 80
- file: 192.142.0.149
- hash: 80
- file: 62.60.226.21
- hash: 40106
- file: 31.220.81.57
- hash: 2404
- file: 196.251.116.190
- hash: 2404
- file: 185.165.170.222
- hash: 2404
- file: 196.251.116.158
- hash: 4507
- file: 144.91.103.204
- hash: 31337
- file: 64.52.80.67
- hash: 443
- file: 89.40.31.130
- hash: 1010
- file: 128.90.106.203
- hash: 8808
- domain: auth.echelonai.world
- file: 77.110.106.151
- hash: 80
- file: 192.153.57.203
- hash: 8080
- file: 185.177.239.155
- hash: 443
- file: 171.227.30.106
- hash: 6000
- file: 54.219.14.165
- hash: 2628
- file: 217.114.43.122
- hash: 4000
- url: https://check.pejel.icu/gkcxv.google
- file: 4.227.206.117
- hash: 443
- file: 101.200.76.102
- hash: 8080
- file: 179.43.186.234
- hash: 443
- file: 45.88.186.113
- hash: 8808
- file: 188.166.174.146
- hash: 80
- file: 198.135.50.66
- hash: 4449
- file: 93.198.178.131
- hash: 81
- file: 66.63.187.82
- hash: 80
- file: 118.161.8.213
- hash: 443
- file: 163.181.143.92
- hash: 4506
- file: 50.106.3.62
- hash: 995
- domain: mail1.lasthit.store
- domain: mail2.lasthit.store
- file: 172.104.60.134
- hash: 53
- url: https://8salaccgfa.top/gsooz
- domain: api.googleshop.xyz
- file: 152.136.17.91
- hash: 9999
- file: 179.43.186.234
- hash: 80
- file: 198.98.57.26
- hash: 8443
ThreatFox IOCs for 2025-04-19
Medium
Published: Sat Apr 19 2025 (04/19/2025, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2025-04-19
AI-Powered Analysis
AILast updated: 06/27/2025, 11:22:09 UTC
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on April 19, 2025, by the ThreatFox MISP feed. These IOCs relate to malware activity characterized primarily by OSINT (Open Source Intelligence) techniques, payload delivery mechanisms, and network activity. The data does not specify any particular malware family, affected software versions, or detailed technical exploits. Instead, it appears to be a collection of threat intelligence indicators intended to aid in detection and response efforts. The threat level is indicated as medium, with no known exploits in the wild or available patches. The absence of CWE identifiers and specific affected versions suggests this is a general threat intelligence update rather than a vulnerability in a particular product. The tags and categories emphasize the use of OSINT for threat detection and the focus on payload delivery and network behavior, which are common in malware campaigns. The technical details show moderate threat level and distribution scores, indicating some level of dissemination but not widespread or critical impact. Overall, this represents a situational awareness update for security teams to monitor and potentially incorporate into their detection systems rather than an active exploit or vulnerability requiring immediate patching.
Potential Impact
For European organizations, the impact of this threat intelligence update is primarily in enhancing situational awareness and improving detection capabilities against malware campaigns that utilize OSINT and network-based payload delivery. Since no specific exploit or vulnerability is identified, the direct risk to confidentiality, integrity, or availability is limited unless these IOCs correspond to active campaigns targeting European entities. However, failure to incorporate such threat intelligence could result in delayed detection of malware infections, leading to potential data breaches, operational disruption, or lateral movement within networks. Organizations with critical infrastructure or sensitive data could face increased risk if attackers leverage these indicators to craft targeted attacks. The medium severity suggests a moderate risk level, emphasizing the need for vigilance but not immediate crisis response.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems to enhance detection of related malware activity. 2. Conduct regular network traffic analysis focusing on unusual payload delivery patterns and suspicious network activity that align with the threat intelligence. 3. Train security operations teams to recognize and respond to OSINT-driven attack vectors and payload delivery tactics. 4. Maintain up-to-date threat intelligence feeds and ensure automated correlation with internal logs for timely alerts. 5. Implement network segmentation and strict access controls to limit the potential spread of malware if detected. 6. Perform regular threat hunting exercises using the IOCs to proactively identify potential compromises. 7. Collaborate with national and European cybersecurity information sharing organizations to contextualize these IOCs within broader threat trends.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- f9c9b7e2-7a1a-41b1-8ba7-b4c9b0e1c634
- Original Timestamp
- 1745107387
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincheck.saguf.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainht.bzmajiang.cn | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainwww.x6se.buzz | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainec2-16-163-161-107.ap-east-1.compute.amazonaws.com | ShadowPad botnet C2 domain (confidence level: 90%) | |
domainlynmor.com | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domaingrrlspace.com | FAKEUPDATES payload delivery domain (confidence level: 50%) | |
domainreddit.co.im | Unknown malware payload delivery domain (confidence level: 50%) | |
domainfuturistx.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainsynmedsp.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainfour-meme.dev | Unknown malware payload delivery domain (confidence level: 50%) | |
domain9xuj2tcnm.localto.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domaingo.gets-it.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainrhymers.duckdns.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainalthough-cholesterol.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaininterface-owners.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainmatch-charity.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaino-sufficient.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaincheck.hosam.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainoffice.socalmediazone.com | Hook botnet C2 domain (confidence level: 100%) | |
domainaccount.st4b4n.fr | Havoc botnet C2 domain (confidence level: 100%) | |
domaincheck.colaj.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domainlumbersmile.icu | Unknown Loader botnet C2 domain (confidence level: 100%) | |
domaincheck.wewum.icu | ClearFake payload delivery domain (confidence level: 100%) | |
domain4gjhr5qxhyaj1.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainyyds.chinaunciom.sbs | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainauth.echelonai.world | Hook botnet C2 domain (confidence level: 100%) | |
domainmail1.lasthit.store | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainmail2.lasthit.store | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainapi.googleshop.xyz | Cobalt Strike botnet C2 domain (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file194.59.31.74 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.88.99 | Remcos botnet C2 server (confidence level: 100%) | |
file62.60.226.101 | Remcos botnet C2 server (confidence level: 100%) | |
file45.94.31.80 | Remcos botnet C2 server (confidence level: 100%) | |
file192.177.111.67 | Remcos botnet C2 server (confidence level: 100%) | |
file197.224.236.164 | Unknown malware botnet C2 server (confidence level: 100%) | |
file162.250.124.62 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file111.229.202.115 | Havoc botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file35.179.100.140 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file35.78.171.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.222.12.121 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file196.251.80.109 | XWorm botnet C2 server (confidence level: 100%) | |
file176.65.144.18 | Bashlite botnet C2 server (confidence level: 75%) | |
file209.141.33.93 | Mirai botnet C2 server (confidence level: 75%) | |
file45.79.145.180 | Sliver botnet C2 server (confidence level: 90%) | |
file196.251.116.201 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.69.26 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file2.56.245.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file20.240.184.170 | ERMAC botnet C2 server (confidence level: 100%) | |
file147.135.209.16 | Unknown malware botnet C2 server (confidence level: 100%) | |
file147.135.209.16 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.203.232.69 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file52.91.218.1 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file81.70.202.246 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.212.98.5 | Unknown malware botnet C2 server (confidence level: 100%) | |
file130.61.248.49 | Unknown malware botnet C2 server (confidence level: 100%) | |
file152.53.130.64 | Unknown malware botnet C2 server (confidence level: 100%) | |
file23.94.212.181 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.113.227.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.110.28.213 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.150.92.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.18.121.82 | Unknown malware botnet C2 server (confidence level: 100%) | |
file208.40.7.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file120.26.235.70 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.159.187.214 | Unknown malware botnet C2 server (confidence level: 100%) | |
file80.71.149.20 | Unknown malware botnet C2 server (confidence level: 100%) | |
file106.15.227.21 | Unknown malware botnet C2 server (confidence level: 100%) | |
file100.26.43.242 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.104.57.100 | Unknown malware botnet C2 server (confidence level: 100%) | |
file209.182.239.173 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file43.133.72.43 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file54.159.118.2 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file95.169.25.146 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file173.249.24.35 | Sliver botnet C2 server (confidence level: 50%) | |
file45.76.156.251 | Sliver botnet C2 server (confidence level: 50%) | |
file137.184.239.125 | Sliver botnet C2 server (confidence level: 50%) | |
file103.68.251.141 | DarkComet botnet C2 server (confidence level: 50%) | |
file35.178.244.216 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file222.89.70.13 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file149.210.62.42 | Ghost RAT botnet C2 server (confidence level: 50%) | |
file188.240.81.233 | AsyncRAT botnet C2 server (confidence level: 50%) | |
file38.102.9.64 | Remcos botnet C2 server (confidence level: 50%) | |
file45.88.91.214 | Remcos botnet C2 server (confidence level: 50%) | |
file121.43.160.89 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.9.61.175 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.86.107.151 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file176.113.82.51 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.168.57.116 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.75.12.246 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file23.94.54.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file148.135.90.11 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file198.98.57.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.96.130.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.140.114.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.45.217.148 | Hook botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file18.116.20.64 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file51.79.160.146 | Kaiji botnet C2 server (confidence level: 100%) | |
file154.201.91.52 | Kaiji botnet C2 server (confidence level: 100%) | |
file176.65.149.67 | MooBot botnet C2 server (confidence level: 100%) | |
file106.75.215.144 | Sliver botnet C2 server (confidence level: 75%) | |
file13.51.167.241 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
file71.187.100.156 | QakBot botnet C2 server (confidence level: 75%) | |
file91.92.46.42 | Stealc botnet C2 server (confidence level: 100%) | |
file196.251.70.239 | Remcos botnet C2 server (confidence level: 100%) | |
file185.38.142.128 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.190 | Remcos botnet C2 server (confidence level: 100%) | |
file35.220.140.248 | pupy botnet C2 server (confidence level: 100%) | |
file123.57.20.184 | Unknown malware botnet C2 server (confidence level: 100%) | |
file163.5.210.172 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file81.17.24.234 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file163.172.125.253 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file195.10.205.179 | Hook botnet C2 server (confidence level: 100%) | |
file77.110.106.151 | Hook botnet C2 server (confidence level: 100%) | |
file196.251.87.16 | Hook botnet C2 server (confidence level: 100%) | |
file45.45.217.148 | Hook botnet C2 server (confidence level: 100%) | |
file206.166.251.139 | Havoc botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file156.253.227.252 | MooBot botnet C2 server (confidence level: 100%) | |
file111.230.161.5 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file119.91.246.70 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file134.175.159.214 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file176.113.82.51 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file36.41.71.241 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file45.83.207.17 | NjRAT botnet C2 server (confidence level: 75%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.66 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.64 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file88.214.48.65 | Tofsee botnet C2 server (confidence level: 100%) | |
file47.116.34.88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.31.118.190 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.142.0.149 | Remcos botnet C2 server (confidence level: 100%) | |
file62.60.226.21 | Remcos botnet C2 server (confidence level: 100%) | |
file31.220.81.57 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.190 | Remcos botnet C2 server (confidence level: 100%) | |
file185.165.170.222 | Remcos botnet C2 server (confidence level: 100%) | |
file196.251.116.158 | Remcos botnet C2 server (confidence level: 100%) | |
file144.91.103.204 | Sliver botnet C2 server (confidence level: 100%) | |
file64.52.80.67 | Sliver botnet C2 server (confidence level: 100%) | |
file89.40.31.130 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file128.90.106.203 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file77.110.106.151 | Hook botnet C2 server (confidence level: 100%) | |
file192.153.57.203 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file185.177.239.155 | Havoc botnet C2 server (confidence level: 100%) | |
file171.227.30.106 | Venom RAT botnet C2 server (confidence level: 100%) | |
file54.219.14.165 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file217.114.43.122 | Unknown malware botnet C2 server (confidence level: 100%) | |
file4.227.206.117 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file101.200.76.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file179.43.186.234 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.88.186.113 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file188.166.174.146 | Havoc botnet C2 server (confidence level: 100%) | |
file198.135.50.66 | Venom RAT botnet C2 server (confidence level: 100%) | |
file93.198.178.131 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file66.63.187.82 | Bashlite botnet C2 server (confidence level: 100%) | |
file118.161.8.213 | QakBot botnet C2 server (confidence level: 75%) | |
file163.181.143.92 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file50.106.3.62 | QakBot botnet C2 server (confidence level: 75%) | |
file172.104.60.134 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file152.136.17.91 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file179.43.186.234 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file198.98.57.26 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash17527 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash40106 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8083 | Havoc botnet C2 server (confidence level: 100%) | |
hash8000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash10261 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1963 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash103 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash2003 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash34203 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | XWorm botnet C2 server (confidence level: 100%) | |
hash69 | Bashlite botnet C2 server (confidence level: 75%) | |
hash5538 | Mirai botnet C2 server (confidence level: 75%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash2007 | Remcos botnet C2 server (confidence level: 100%) | |
hash222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4608 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash80 | ERMAC botnet C2 server (confidence level: 100%) | |
hash4433 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8081 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2052 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash101 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash6666 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash9205 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3615 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash8869 | DarkComet botnet C2 server (confidence level: 50%) | |
hash873 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash9088 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash443 | Ghost RAT botnet C2 server (confidence level: 50%) | |
hash3131 | AsyncRAT botnet C2 server (confidence level: 50%) | |
hash23074 | Remcos botnet C2 server (confidence level: 50%) | |
hash4500 | Remcos botnet C2 server (confidence level: 50%) | |
hash10001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash6001 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash4839 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash808 | Kaiji botnet C2 server (confidence level: 100%) | |
hash808 | Kaiji botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 75%) | |
hash9142 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
hash2222 | QakBot botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Remcos botnet C2 server (confidence level: 100%) | |
hash4507 | Remcos botnet C2 server (confidence level: 100%) | |
hash8443 | pupy botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash300 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash8080 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash2086 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash6522 | NjRAT botnet C2 server (confidence level: 75%) | |
hash423 | Tofsee botnet C2 server (confidence level: 100%) | |
hash417 | Tofsee botnet C2 server (confidence level: 100%) | |
hash428 | Tofsee botnet C2 server (confidence level: 100%) | |
hash416 | Tofsee botnet C2 server (confidence level: 100%) | |
hash430 | Tofsee botnet C2 server (confidence level: 100%) | |
hash424 | Tofsee botnet C2 server (confidence level: 100%) | |
hash418 | Tofsee botnet C2 server (confidence level: 100%) | |
hash425 | Tofsee botnet C2 server (confidence level: 100%) | |
hash419 | Tofsee botnet C2 server (confidence level: 100%) | |
hash421 | Tofsee botnet C2 server (confidence level: 100%) | |
hash416 | Tofsee botnet C2 server (confidence level: 100%) | |
hash426 | Tofsee botnet C2 server (confidence level: 100%) | |
hash431 | Tofsee botnet C2 server (confidence level: 100%) | |
hash424 | Tofsee botnet C2 server (confidence level: 100%) | |
hash9000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) | |
hash40106 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash4507 | Remcos botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash1010 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash6000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash2628 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash81 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) | |
hash53 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://10.99.1.101/en-us/supershell/login/auth | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttps://quicklinks-online.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttp://141.164.61.168 | Kimsuky botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/9hzqgnjr | XWorm botnet C2 (confidence level: 50%) | |
urlhttp://182.124.109.206:54689/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttps://fstarofliught.top/wozd | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://check.hosam.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://check.colaj.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://lumbersmile.icu/apri.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttp://lumbersmile.icu/apr.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://4asalaccgfa.top/gsooz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://check.wewum.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://103.48.64.50:38680/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://117.209.117.141:55381/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://102.33.34.151:35209/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://185.208.158.182:8090/pages/login.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://check.pejel.icu/gkcxv.google | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://8salaccgfa.top/gsooz | Lumma Stealer botnet C2 (confidence level: 75%) |
Threat ID: 68367c96182aa0cae23195a7
Added to database: 5/28/2025, 3:01:42 AM
Last enriched: 6/27/2025, 11:22:09 AM
Last updated: 8/17/2025, 3:34:45 PM
Views: 8
Related Threats
ThreatFox IOCs for 2025-08-18
MediumMalwareTue Aug 19 2025
Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumMalwareMon Aug 18 2025
Phishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumMalwareMon Aug 18 2025
ThreatFox IOCs for 2025-08-17
MediumMalwareMon Aug 18 2025
ThreatFox IOCs for 2025-08-16
MediumMalwareSun Aug 17 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.