ThreatFox IOCs for 2025-05-04
ThreatFox IOCs for 2025-05-04
AI Analysis
Technical Summary
The provided threat intelligence entry titled "ThreatFox IOCs for 2025-05-04" relates to a malware-type threat categorized under OSINT (Open Source Intelligence) tools or data. The entry originates from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence. However, the technical details are minimal, with no specific affected product versions, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution values of 1 and 3 respectively, suggesting limited analysis and moderate distribution potential. The absence of indicators and detailed technical information implies that this entry likely represents a collection or update of IOCs rather than a direct malware sample or exploit. The classification as "type:osint" and the TLP (Traffic Light Protocol) white tag indicate that the information is intended for wide distribution and is related to open-source intelligence gathering or sharing. Given the lack of concrete technical specifics such as attack vectors, payload details, or targeted vulnerabilities, the threat appears to be informational in nature, possibly serving as a repository or update of threat intelligence data rather than an active, exploitable malware campaign. This limits the ability to perform a deep technical analysis but suggests a focus on monitoring and intelligence sharing within the cybersecurity community.
Potential Impact
For European organizations, the direct impact of this threat is currently low to medium due to the absence of known exploits or active campaigns. Since the entry primarily represents OSINT-related IOCs without specific malware payloads or attack mechanisms, the immediate risk to confidentiality, integrity, or availability is limited. However, the distribution of such intelligence can indirectly impact organizations by informing threat actors or defenders about emerging trends or potential targets. European entities that rely heavily on threat intelligence feeds for proactive defense may benefit from this information, while adversaries might use it to refine their tactics. The lack of targeted product versions or affected systems means that no particular sector or infrastructure is explicitly at risk. Nonetheless, organizations should remain vigilant, as OSINT-based malware or campaigns can evolve rapidly, and the presence of distributed IOCs could precede more active threats. The medium severity rating suggests a moderate concern, primarily from an intelligence and preparedness perspective rather than immediate operational disruption.
Mitigation Recommendations
Given the nature of this threat as an OSINT IOC update without direct exploit or malware payload, mitigation should focus on enhancing threat intelligence integration and operational readiness. European organizations should: 1) Ensure their security operations centers (SOCs) and threat intelligence teams ingest and correlate these IOCs with internal telemetry to detect any related suspicious activity early. 2) Maintain updated and comprehensive endpoint detection and response (EDR) solutions capable of leveraging IOC feeds for proactive hunting. 3) Conduct regular threat hunting exercises focused on emerging OSINT indicators to identify potential reconnaissance or preparatory activities. 4) Collaborate with national and European cybersecurity information sharing organizations (e.g., ENISA, CERT-EU) to contextualize these IOCs within broader threat landscapes. 5) Avoid generic patching advice since no specific vulnerabilities are identified; instead, focus on strengthening detection capabilities and incident response readiness. 6) Educate staff on recognizing social engineering or phishing attempts that might leverage OSINT-derived information. These steps will help organizations convert the intelligence into actionable defense measures despite the lack of direct exploit details.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: webexone.org
- domain: raw.foxthreatnointel.vip
- domain: accountfun.digital
- domain: homelecyfi.digital
- domain: gobacknihq.digital
- domain: suiadris.digital
- domain: caverimared.digital
- url: http://185.235.167.122:8888/supershell/login/
- file: 176.65.144.197
- hash: 443
- file: 193.227.129.75
- hash: 6595
- file: 128.90.113.30
- hash: 8808
- file: 185.208.156.169
- hash: 6503
- domain: coms-gs.com
- domain: bmjpaperpqck.com
- file: 139.64.172.67
- hash: 443
- file: 161.35.194.66
- hash: 3333
- url: http://arsoln2r.beget.tech/fj43384ft63/eternaltocpuprocessserveruniversaldatalife.php
- hash: a34bfc8c1c24202c196092d56ed01b498c9f75e10ea7ccd1f923138ca4919be3
- hash: 4e457efa717ec715f61c3a62017df2cefe183298a984031cce26dbeaa5cc497e
- domain: tcangcm.com
- domain: desablums.com
- domain: trusltwcllct.com
- domain: coiincmi.com
- domain: elcctrum.cc
- domain: 0maill.com
- url: https://aeneasq.live/nmgj
- url: https://baseurzv.run/asuz
- url: https://borijinalecza.org/jub
- url: https://fmedicalbitkisel.net/juj
- url: https://ftortoisgfe.top/paxk
- url: https://ksnakejh.top/adsk
- url: https://xsnakejh.top/adsk
- url: https://ztortoisgfe.top/paxk
- domain: us-ledger.io
- hash: 89d8347999067a3a60691e009e17e3aa19c98668a77f0d1de313bd67ed409de7
- hash: eb08b6f4565b1eaa752e5cffd71287738befa6e0bd99a41e45b1ec104df0388e
- domain: dgtseso-sedes.cfd
- file: 45.81.23.48
- hash: 1777
- file: 196.251.83.223
- hash: 7777
- file: 196.251.83.223
- hash: 8808
- file: 24.152.36.216
- hash: 4000
- domain: veltyzo.shop
- file: 89.23.97.32
- hash: 80
- file: 93.198.180.238
- hash: 81
- file: 3.255.90.197
- hash: 443
- file: 52.213.183.75
- hash: 8080
- file: 13.60.26.38
- hash: 3333
- file: 107.155.87.39
- hash: 8443
- file: 185.221.152.164
- hash: 3434
- file: 51.178.26.15
- hash: 3333
- file: 3.124.207.127
- hash: 443
- file: 13.125.164.1
- hash: 80
- file: 15.235.167.145
- hash: 3333
- file: 34.241.214.245
- hash: 443
- file: 13.201.89.149
- hash: 3333
- file: 63.33.56.166
- hash: 443
- file: 13.49.0.94
- hash: 4444
- file: 16.171.230.230
- hash: 3333
- file: 188.40.233.29
- hash: 3333
- file: 142.171.29.139
- hash: 80
- file: 63.33.197.184
- hash: 443
- file: 13.60.228.174
- hash: 3333
- file: 4.237.239.58
- hash: 3333
- file: 164.92.69.60
- hash: 3333
- url: https://sformydab.run/gaus
- domain: theuni-swap.com
- file: 47.76.168.32
- hash: 8443
- file: 51.38.192.140
- hash: 9001
- file: 8.148.27.195
- hash: 8080
- url: http://117.200.148.155:50879/mozi.m
- file: 161.248.238.54
- hash: 1995
- file: 8.138.189.93
- hash: 50050
- file: 43.139.124.56
- hash: 50050
- file: 185.147.124.148
- hash: 9000
- file: 85.209.128.31
- hash: 9000
- file: 206.189.116.120
- hash: 3333
- file: 64.23.133.41
- hash: 31337
- file: 148.66.11.10
- hash: 4433
- file: 38.110.228.216
- hash: 31337
- file: 13.49.46.253
- hash: 443
- file: 54.236.199.83
- hash: 2154
- file: 117.209.82.28
- hash: 45666
- url: http://5.199.166.102/login
- domain: gotoaa.sytes.net
- domain: foundation-appropriate.gl.at.ply.gg
- domain: direct-conventional.gl.at.ply.gg
- domain: salesmanpaypals-52908.portmap.io
- domain: three-comparative.gl.at.ply.gg
- domain: mcjacademy.cyou
- domain: gmug.uncofig.com
- domain: kiwibobby-55937.portmap.io
- domain: alpaca-flnance.com
- url: https://0opusculy.top/keaj
- url: https://porijinalecza.net/kazd
- url: https://zmedicalbitkisel.net/juj
- url: https://dhemispherexz.top/xapp
- url: https://hexitiumt.digital/xane
- url: https://ljorijinalecza.org/jub
- url: https://porjinalecza.net/lxaz
- url: https://quaestort.live/toquw
- url: https://scivitasu.run/werrp
- file: 123.60.135.200
- hash: 443
- file: 206.238.114.38
- hash: 8080
- file: 146.70.41.206
- hash: 443
- file: 196.251.92.3
- hash: 8808
- file: 196.251.115.33
- hash: 6606
- file: 196.251.115.33
- hash: 7707
- file: 173.255.232.239
- hash: 7443
- domain: blinkory.shop
- file: 47.236.177.123
- hash: 8081
- file: 86.93.140.187
- hash: 443
- file: 101.109.205.1
- hash: 7443
- domain: app.alpacaflnance.com
- domain: dapp.radar-home.com
- domain: raydium.io-sol.vip
- domain: sushi.swap-ether.net
- domain: camelot.exc-v3.org
- domain: kodiak.finance.io-v6.bet
- domain: app.spookyswap-v3.com
- domain: biswap.org-earn.com
- domain: velodrome.finance-superchain.org
- file: 54.169.64.63
- hash: 443
- file: 70.31.125.150
- hash: 2222
- file: 143.92.60.22
- hash: 9568
- url: https://idcomplaint1.com/
- url: https://complaintreservaid1.com/
- url: https://idcomplaint2.com/
- url: https://admin-protect.help/
- url: https://blockinsight.net/
- url: https://nahamcon2025asdasd.pages.dev/
- url: https://pumpfunaaexposed.pages.dev/
- url: https://pumpcommunity.pages.dev/
- url: https://www.banki.kancelariaoxford.pl/
- url: https://cloudflare.eradigitalibl.com/
- url: https://travelersi.com/
- url: https://kap.magicitbd.com/?__cf_chl_tk=4mbqffrgmpasvve_gztefjch0gnh_5jlfaoxdb5rihaihuyx55sbisx_l_aqka68wdkb9wlw2hjsypra-1745944629-1.0.1.1-osozzbc1k5aoqw9wswty
- url: https://computonline.xyz/
- url: https://sky-shiiyu.moe/
- domain: app-uni-infos.com
- domain: adfs.fdwx.net
- file: 18.189.194.55
- hash: 9090
- file: 38.134.148.175
- hash: 443
- file: 123.60.135.200
- hash: 80
- file: 152.42.199.84
- hash: 8089
- url: http://84.200.154.182/sign-in
- file: 23.249.29.117
- hash: 5555
- file: 195.211.191.54
- hash: 3980
- file: 185.177.239.241
- hash: 2222
- file: 45.204.197.88
- hash: 1991
- url: http://ct57262.tw1.ru/l1nc0in.php
- file: 45.204.199.73
- hash: 7777
- url: https://desablums.com/f6j84vsdbngie2/tangem-setup-x64.exe
- url: https://desablums.com/f6j84vsdbngie2/trustwallet-setup-latest-x64.exe
- url: https://desablums.com/f6j84vsdbngie2/coinomi-wallet-setup-x64.exe
- domain: en-bitcoin.org
- domain: bitccincore.com
- hash: 976be23dcb1c0ef84fddb791762960bf75f02a029a2e7877282cedf1c1190e42
- hash: 194121aa2739d716f5cb3ca2ea051e9d39c7abc32cfef86a31345f2ef7277d8d
- url: https://desablums.com/f6j84vsdbngie2/trezor-suite-25.4.2-win-x64-setup.exe
- url: https://alicante-news.com/?uid=df4379cf-467b-4d2f-895f-94511d7b4308
- url: https://bitccincore.com/index.php?uid=1e5a8bfa-c19a-45d4-8f5a-d763a769029a
- file: 161.35.255.100
- hash: 55556
- file: 94.198.96.166
- hash: 52190
- file: 45.74.15.233
- hash: 3402
- file: 47.86.232.155
- hash: 4449
- url: http://80.64.18.63/tom4ku9v/index.php
- domain: brolyx95.duckdns.org
- file: 161.248.238.54
- hash: 57899
- domain: web.raihelp.top
- domain: tybhelp.top
- domain: web.chohelp.top
- url: https://throatsalt.icu/art.php
- url: https://stitchtransport.icu/art.php
- url: https://8opusculy.top/keaj
- url: https://drypingzyr.run/ariq
- url: https://dscriptao.digital/vpep
- url: https://ycivitasu.run/werrp
- url: https://1tortoisgfe.top/paxk
- url: https://4orijinalecza.org/jub
- url: https://8orjinalecza.net/lxaz
- url: https://ceczamedikal.org/vax
- url: https://dsnakejh.top/adsk
- url: https://heczamedikal.org/vax
- url: https://jsnakejh.top/adsk
- url: https://lsnakejh.top/adsk
- url: https://veczamedikal.org/vax
- url: https://vvecturar.top/zsia
- url: https://wmedicalbitkisel.net/juj
- url: https://zaeneasq.live/nmgj
- file: 27.124.44.132
- hash: 80
- url: https://1snakejh.top/adsk
- url: https://5vecturar.top/zsia
- url: https://9medicalbitkisel.net/juj
- url: https://esnakejh.top/adsk
- url: https://forijinalecza.net/kazd
- url: https://o1orjinalecza.net/lxaz
- url: https://oeczakozmetik.net/qop
- url: https://q0eczakozmetik.net/qop
- url: https://seczamedikal.org/vax
- url: https://zorijinalecza.net/kazd
- url: https://zreczamedikal.org/vax
- url: https://vmedicalbitkisel.net/juj
- file: 80.64.18.63
- hash: 80
- url: http://115.48.148.187:60817/mozi.m
- domain: dimmergauntlet.ru
- file: 107.173.4.8
- hash: 2404
- file: 179.13.0.197
- hash: 2404
- file: 192.3.171.198
- hash: 14646
- file: 176.65.141.69
- hash: 443
- file: 84.46.243.167
- hash: 443
- file: 213.209.143.43
- hash: 8888
- file: 24.152.36.216
- hash: 5000
- file: 24.152.36.216
- hash: 2000
- file: 45.141.215.109
- hash: 2000
- file: 56.124.32.96
- hash: 13123
- file: 34.220.174.146
- hash: 20141
- file: 62.171.138.173
- hash: 80
- file: 103.141.158.19
- hash: 443
- file: 209.38.186.227
- hash: 8888
- file: 38.147.171.158
- hash: 8888
- file: 5.163.185.129
- hash: 443
- file: 78.128.112.209
- hash: 48965
ThreatFox IOCs for 2025-05-04
Description
ThreatFox IOCs for 2025-05-04
AI-Powered Analysis
Technical Analysis
The provided threat intelligence entry titled "ThreatFox IOCs for 2025-05-04" relates to a malware-type threat categorized under OSINT (Open Source Intelligence) tools or data. The entry originates from ThreatFox, a platform known for sharing Indicators of Compromise (IOCs) and threat intelligence. However, the technical details are minimal, with no specific affected product versions, no CWE identifiers, no patch links, and no known exploits in the wild. The threat level is indicated as 2 on an unspecified scale, with analysis and distribution values of 1 and 3 respectively, suggesting limited analysis and moderate distribution potential. The absence of indicators and detailed technical information implies that this entry likely represents a collection or update of IOCs rather than a direct malware sample or exploit. The classification as "type:osint" and the TLP (Traffic Light Protocol) white tag indicate that the information is intended for wide distribution and is related to open-source intelligence gathering or sharing. Given the lack of concrete technical specifics such as attack vectors, payload details, or targeted vulnerabilities, the threat appears to be informational in nature, possibly serving as a repository or update of threat intelligence data rather than an active, exploitable malware campaign. This limits the ability to perform a deep technical analysis but suggests a focus on monitoring and intelligence sharing within the cybersecurity community.
Potential Impact
For European organizations, the direct impact of this threat is currently low to medium due to the absence of known exploits or active campaigns. Since the entry primarily represents OSINT-related IOCs without specific malware payloads or attack mechanisms, the immediate risk to confidentiality, integrity, or availability is limited. However, the distribution of such intelligence can indirectly impact organizations by informing threat actors or defenders about emerging trends or potential targets. European entities that rely heavily on threat intelligence feeds for proactive defense may benefit from this information, while adversaries might use it to refine their tactics. The lack of targeted product versions or affected systems means that no particular sector or infrastructure is explicitly at risk. Nonetheless, organizations should remain vigilant, as OSINT-based malware or campaigns can evolve rapidly, and the presence of distributed IOCs could precede more active threats. The medium severity rating suggests a moderate concern, primarily from an intelligence and preparedness perspective rather than immediate operational disruption.
Mitigation Recommendations
Given the nature of this threat as an OSINT IOC update without direct exploit or malware payload, mitigation should focus on enhancing threat intelligence integration and operational readiness. European organizations should: 1) Ensure their security operations centers (SOCs) and threat intelligence teams ingest and correlate these IOCs with internal telemetry to detect any related suspicious activity early. 2) Maintain updated and comprehensive endpoint detection and response (EDR) solutions capable of leveraging IOC feeds for proactive hunting. 3) Conduct regular threat hunting exercises focused on emerging OSINT indicators to identify potential reconnaissance or preparatory activities. 4) Collaborate with national and European cybersecurity information sharing organizations (e.g., ENISA, CERT-EU) to contextualize these IOCs within broader threat landscapes. 5) Avoid generic patching advice since no specific vulnerabilities are identified; instead, focus on strengthening detection capabilities and incident response readiness. 6) Educate staff on recognizing social engineering or phishing attempts that might leverage OSINT-derived information. These steps will help organizations convert the intelligence into actionable defense measures despite the lack of direct exploit details.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 0fcd0c79-824b-4d17-b9f4-2c6166d4ce34
- Original Timestamp
- 1746403385
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwebexone.org | Unknown Loader payload delivery domain (confidence level: 100%) | |
domainraw.foxthreatnointel.vip | Mirai botnet C2 domain (confidence level: 75%) | |
domainaccountfun.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainhomelecyfi.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domaingobacknihq.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainsuiadris.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domaincaverimared.digital | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domaincoms-gs.com | Hook botnet C2 domain (confidence level: 100%) | |
domainbmjpaperpqck.com | Hook botnet C2 domain (confidence level: 100%) | |
domaintcangcm.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaindesablums.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaintrusltwcllct.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaincoiincmi.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainelcctrum.cc | Unknown malware payload delivery domain (confidence level: 100%) | |
domain0maill.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainus-ledger.io | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaindgtseso-sedes.cfd | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainveltyzo.shop | Hook botnet C2 domain (confidence level: 100%) | |
domaintheuni-swap.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaingotoaa.sytes.net | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainfoundation-appropriate.gl.at.ply.gg | DCRat botnet C2 domain (confidence level: 50%) | |
domaindirect-conventional.gl.at.ply.gg | NjRAT botnet C2 domain (confidence level: 50%) | |
domainsalesmanpaypals-52908.portmap.io | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainthree-comparative.gl.at.ply.gg | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainmcjacademy.cyou | Remcos botnet C2 domain (confidence level: 50%) | |
domaingmug.uncofig.com | XWorm botnet C2 domain (confidence level: 50%) | |
domainkiwibobby-55937.portmap.io | XWorm botnet C2 domain (confidence level: 50%) | |
domainalpaca-flnance.com | Unknown malware payload delivery domain (confidence level: 50%) | |
domainblinkory.shop | Hook botnet C2 domain (confidence level: 100%) | |
domainapp.alpacaflnance.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaindapp.radar-home.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainraydium.io-sol.vip | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainsushi.swap-ether.net | Unknown malware botnet C2 domain (confidence level: 50%) | |
domaincamelot.exc-v3.org | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainkodiak.finance.io-v6.bet | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainapp.spookyswap-v3.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainbiswap.org-earn.com | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainvelodrome.finance-superchain.org | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainapp-uni-infos.com | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainadfs.fdwx.net | Havoc botnet C2 domain (confidence level: 100%) | |
domainen-bitcoin.org | Unknown malware botnet C2 domain (confidence level: 75%) | |
domainbitccincore.com | Unknown malware payload delivery domain (confidence level: 75%) | |
domainbrolyx95.duckdns.org | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainweb.raihelp.top | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domaintybhelp.top | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domainweb.chohelp.top | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domaindimmergauntlet.ru | ClearFake payload delivery domain (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://185.235.167.122:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://arsoln2r.beget.tech/fj43384ft63/eternaltocpuprocessserveruniversaldatalife.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://aeneasq.live/nmgj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://baseurzv.run/asuz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://borijinalecza.org/jub | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://fmedicalbitkisel.net/juj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ftortoisgfe.top/paxk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ksnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://xsnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ztortoisgfe.top/paxk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://sformydab.run/gaus | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://117.200.148.155:50879/mozi.m | Mozi payload delivery URL (confidence level: 50%) | |
urlhttp://5.199.166.102/login | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttps://0opusculy.top/keaj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://porijinalecza.net/kazd | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://zmedicalbitkisel.net/juj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://dhemispherexz.top/xapp | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://hexitiumt.digital/xane | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ljorijinalecza.org/jub | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://porjinalecza.net/lxaz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://quaestort.live/toquw | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://scivitasu.run/werrp | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://idcomplaint1.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://complaintreservaid1.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://idcomplaint2.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://admin-protect.help/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://blockinsight.net/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://nahamcon2025asdasd.pages.dev/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://pumpfunaaexposed.pages.dev/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://pumpcommunity.pages.dev/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://www.banki.kancelariaoxford.pl/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://cloudflare.eradigitalibl.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://travelersi.com/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://kap.magicitbd.com/?__cf_chl_tk=4mbqffrgmpasvve_gztefjch0gnh_5jlfaoxdb5rihaihuyx55sbisx_l_aqka68wdkb9wlw2hjsypra-1745944629-1.0.1.1-osozzbc1k5aoqw9wswty | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://computonline.xyz/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttps://sky-shiiyu.moe/ | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttp://84.200.154.182/sign-in | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://ct57262.tw1.ru/l1nc0in.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://desablums.com/f6j84vsdbngie2/tangem-setup-x64.exe | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://desablums.com/f6j84vsdbngie2/trustwallet-setup-latest-x64.exe | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://desablums.com/f6j84vsdbngie2/coinomi-wallet-setup-x64.exe | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://desablums.com/f6j84vsdbngie2/trezor-suite-25.4.2-win-x64-setup.exe | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://alicante-news.com/?uid=df4379cf-467b-4d2f-895f-94511d7b4308 | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttps://bitccincore.com/index.php?uid=1e5a8bfa-c19a-45d4-8f5a-d763a769029a | Unknown Stealer payload delivery URL (confidence level: 100%) | |
urlhttp://80.64.18.63/tom4ku9v/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://throatsalt.icu/art.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://stitchtransport.icu/art.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://8opusculy.top/keaj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://drypingzyr.run/ariq | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://dscriptao.digital/vpep | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ycivitasu.run/werrp | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://1tortoisgfe.top/paxk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://4orijinalecza.org/jub | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://8orjinalecza.net/lxaz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ceczamedikal.org/vax | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://dsnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://heczamedikal.org/vax | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://jsnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://lsnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://veczamedikal.org/vax | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://vvecturar.top/zsia | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://wmedicalbitkisel.net/juj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://zaeneasq.live/nmgj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://1snakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://5vecturar.top/zsia | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://9medicalbitkisel.net/juj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://esnakejh.top/adsk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://forijinalecza.net/kazd | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://o1orjinalecza.net/lxaz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://oeczakozmetik.net/qop | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://q0eczakozmetik.net/qop | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://seczamedikal.org/vax | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://zorijinalecza.net/kazd | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://zreczamedikal.org/vax | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://vmedicalbitkisel.net/juj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://115.48.148.187:60817/mozi.m | Mozi payload delivery URL (confidence level: 50%) |
File
| Value | Description | Copy |
|---|---|---|
file176.65.144.197 | Mirai botnet C2 server (confidence level: 75%) | |
file193.227.129.75 | Remcos botnet C2 server (confidence level: 100%) | |
file128.90.113.30 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.208.156.169 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file139.64.172.67 | Havoc botnet C2 server (confidence level: 100%) | |
file161.35.194.66 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.81.23.48 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.83.223 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.83.223 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file24.152.36.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file89.23.97.32 | Hook botnet C2 server (confidence level: 100%) | |
file93.198.180.238 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file3.255.90.197 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.213.183.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.60.26.38 | Unknown malware botnet C2 server (confidence level: 100%) | |
file107.155.87.39 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.221.152.164 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.178.26.15 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.124.207.127 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.125.164.1 | Unknown malware botnet C2 server (confidence level: 100%) | |
file15.235.167.145 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.241.214.245 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.201.89.149 | Unknown malware botnet C2 server (confidence level: 100%) | |
file63.33.56.166 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.49.0.94 | Unknown malware botnet C2 server (confidence level: 100%) | |
file16.171.230.230 | Unknown malware botnet C2 server (confidence level: 100%) | |
file188.40.233.29 | Unknown malware botnet C2 server (confidence level: 100%) | |
file142.171.29.139 | Unknown malware botnet C2 server (confidence level: 100%) | |
file63.33.197.184 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.60.228.174 | Unknown malware botnet C2 server (confidence level: 100%) | |
file4.237.239.58 | Unknown malware botnet C2 server (confidence level: 100%) | |
file164.92.69.60 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.76.168.32 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file51.38.192.140 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.148.27.195 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file161.248.238.54 | Mirai botnet C2 server (confidence level: 75%) | |
file8.138.189.93 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file43.139.124.56 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file185.147.124.148 | SectopRAT botnet C2 server (confidence level: 50%) | |
file85.209.128.31 | SectopRAT botnet C2 server (confidence level: 50%) | |
file206.189.116.120 | Unknown malware botnet C2 server (confidence level: 50%) | |
file64.23.133.41 | Unknown malware botnet C2 server (confidence level: 50%) | |
file148.66.11.10 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file38.110.228.216 | Sliver botnet C2 server (confidence level: 50%) | |
file13.49.46.253 | PoshC2 botnet C2 server (confidence level: 50%) | |
file54.236.199.83 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file117.209.82.28 | Mozi botnet C2 server (confidence level: 50%) | |
file123.60.135.200 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file206.238.114.38 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.70.41.206 | Sliver botnet C2 server (confidence level: 100%) | |
file196.251.92.3 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.115.33 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file196.251.115.33 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file173.255.232.239 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.236.177.123 | Havoc botnet C2 server (confidence level: 100%) | |
file86.93.140.187 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file101.109.205.1 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file54.169.64.63 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file70.31.125.150 | QakBot botnet C2 server (confidence level: 75%) | |
file143.92.60.22 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file18.189.194.55 | Havoc botnet C2 server (confidence level: 100%) | |
file38.134.148.175 | BianLian botnet C2 server (confidence level: 100%) | |
file123.60.135.200 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file152.42.199.84 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file23.249.29.117 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file195.211.191.54 | Remcos botnet C2 server (confidence level: 100%) | |
file185.177.239.241 | NjRAT botnet C2 server (confidence level: 100%) | |
file45.204.197.88 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file45.204.199.73 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file161.35.255.100 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file94.198.96.166 | Remcos botnet C2 server (confidence level: 100%) | |
file45.74.15.233 | Remcos botnet C2 server (confidence level: 100%) | |
file47.86.232.155 | Venom RAT botnet C2 server (confidence level: 100%) | |
file161.248.238.54 | Mirai botnet C2 server (confidence level: 75%) | |
file27.124.44.132 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file80.64.18.63 | Amadey botnet C2 server (confidence level: 50%) | |
file107.173.4.8 | Remcos botnet C2 server (confidence level: 100%) | |
file179.13.0.197 | Remcos botnet C2 server (confidence level: 100%) | |
file192.3.171.198 | Remcos botnet C2 server (confidence level: 100%) | |
file176.65.141.69 | Remcos botnet C2 server (confidence level: 100%) | |
file84.46.243.167 | Sliver botnet C2 server (confidence level: 100%) | |
file213.209.143.43 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file24.152.36.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file24.152.36.216 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.141.215.109 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file56.124.32.96 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file34.220.174.146 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file62.171.138.173 | MooBot botnet C2 server (confidence level: 100%) | |
file103.141.158.19 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file209.38.186.227 | Sliver botnet C2 server (confidence level: 75%) | |
file38.147.171.158 | Sliver botnet C2 server (confidence level: 75%) | |
file5.163.185.129 | QakBot botnet C2 server (confidence level: 75%) | |
file78.128.112.209 | Havoc botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash443 | Mirai botnet C2 server (confidence level: 75%) | |
hash6595 | Remcos botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6503 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hasha34bfc8c1c24202c196092d56ed01b498c9f75e10ea7ccd1f923138ca4919be3 | Unknown malware payload (confidence level: 100%) | |
hash4e457efa717ec715f61c3a62017df2cefe183298a984031cce26dbeaa5cc497e | Unknown malware payload (confidence level: 100%) | |
hash89d8347999067a3a60691e009e17e3aa19c98668a77f0d1de313bd67ed409de7 | Unknown malware payload (confidence level: 100%) | |
hasheb08b6f4565b1eaa752e5cffd71287738befa6e0bd99a41e45b1ec104df0388e | Unknown malware payload (confidence level: 100%) | |
hash1777 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7777 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash81 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3434 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4444 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9001 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash1995 | Mirai botnet C2 server (confidence level: 75%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 50%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 50%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash31337 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash4433 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash443 | PoshC2 botnet C2 server (confidence level: 50%) | |
hash2154 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash45666 | Mozi botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8081 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash7443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash2222 | QakBot botnet C2 server (confidence level: 75%) | |
hash9568 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash9090 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | BianLian botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash8089 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash5555 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash3980 | Remcos botnet C2 server (confidence level: 100%) | |
hash2222 | NjRAT botnet C2 server (confidence level: 100%) | |
hash1991 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash7777 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash976be23dcb1c0ef84fddb791762960bf75f02a029a2e7877282cedf1c1190e42 | Unknown Stealer payload (confidence level: 100%) | |
hash194121aa2739d716f5cb3ca2ea051e9d39c7abc32cfef86a31345f2ef7277d8d | Unknown Stealer payload (confidence level: 100%) | |
hash55556 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash52190 | Remcos botnet C2 server (confidence level: 100%) | |
hash3402 | Remcos botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash57899 | Mirai botnet C2 server (confidence level: 75%) | |
hash80 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash14646 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2000 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash13123 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash20141 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash48965 | Havoc botnet C2 server (confidence level: 75%) |
Threat ID: 682b7baad3ddd8cef2ea6d35
Added to database: 5/19/2025, 6:42:50 PM
Last enriched: 6/18/2025, 7:17:33 PM
Last updated: 11/22/2025, 6:02:17 AM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-11-21
MediumAPT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains
MediumSyncro + Lovable: RAT delivery via AI-generated websites | Kaspersky official blog
MediumNew Sturnus Android Malware Reads WhatsApp, Telegram, Signal Chats via Accessibility Abuse
MediumChinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.