ThreatFox IOCs for 2025-06-05
ThreatFox IOCs for 2025-06-05
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on June 5, 2025, by the ThreatFox MISP Feed. These IOCs are categorized under malware-related activities, specifically focusing on OSINT (Open Source Intelligence), payload delivery, and network activity. The data does not specify any particular malware family, affected software versions, or detailed technical characteristics of the threat. No Common Weakness Enumerations (CWEs) are associated, and there is no indication of known exploits in the wild or available patches. The threat level is indicated as medium, with a threatLevel score of 2, analysis score of 1, and distribution score of 3, suggesting moderate concern and distribution. The absence of detailed technical indicators or payload specifics limits the ability to deeply analyze the malware's behavior or attack vectors. The information appears to be primarily a collection of OSINT-derived IOCs intended for threat intelligence sharing rather than a detailed vulnerability or exploit report. The lack of patch availability and known exploits suggests this is either a newly observed threat or one that is still under investigation. The TLP (Traffic Light Protocol) classification is white, indicating the information is intended for public sharing without restrictions.
Potential Impact
For European organizations, the impact of this threat depends largely on the nature and accuracy of the IOCs provided. Since the threat involves payload delivery and network activity, there is a potential risk of malware infection leading to data exfiltration, system compromise, or disruption of services. However, the medium severity and lack of known exploits in the wild imply that immediate widespread impact is unlikely. Organizations that rely heavily on OSINT feeds for threat detection can benefit from integrating these IOCs into their security monitoring tools to enhance detection capabilities. The absence of specific affected products or versions means that the threat could be generic or targeting multiple platforms, which requires vigilance across diverse IT environments. European entities with critical infrastructure or sensitive data may face increased risk if these IOCs correspond to emerging malware campaigns targeting their sectors. Overall, the threat underscores the importance of proactive threat intelligence consumption and network monitoring to detect and respond to potential payload delivery attempts.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to enhance detection of related malicious activities. 2. Conduct network traffic analysis focusing on anomalies that match the network activity patterns indicated by the IOCs. 3. Maintain updated threat intelligence feeds and cross-reference these IOCs with other sources to identify any emerging patterns or related threats. 4. Implement strict network segmentation and least privilege access controls to limit the potential spread of malware if payload delivery is successful. 5. Educate security teams on the importance of OSINT-based threat intelligence and encourage regular review of public threat feeds like ThreatFox. 6. Since no patches are available, emphasize robust incident response planning and rapid containment strategies in case of detection. 7. Employ multi-factor authentication and continuous monitoring to reduce the risk of initial compromise and lateral movement.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: security.guaedfleres.com
- domain: nemaodi.com
- url: https://nemaodi.com/flare.msi
- domain: robertocalimera.icu
- file: 79.141.160.153
- hash: 443
- domain: jetjetbrzil.shop
- domain: mastercardkeys.world
- hash: 69575d53f0cb5f56293ac9f000889d2b6cb8e78411aa4b954119abe62260cdac
- hash: c55df59ba08f65d53695c37a712a280d944fd1b251319b7049396a77d3bc93e2
- hash: 65955cfb6f9fe3c3398c67ba936637e19faca3058cf0a2748b2a72e533740109
- hash: 7b6f0650b61266f4cceeb300b57980b997e8d81e522e4d00c6b5e35641250df9
- file: 47.105.120.230
- hash: 443
- file: 120.26.98.120
- hash: 443
- file: 47.95.31.143
- hash: 443
- file: 44.203.208.169
- hash: 443
- file: 47.111.154.80
- hash: 80
- file: 43.100.9.138
- hash: 20298
- file: 179.43.176.3
- hash: 3397
- file: 154.247.135.60
- hash: 443
- file: 38.46.221.61
- hash: 34613
- file: 188.153.68.162
- hash: 8808
- url: http://cs16566.tw1.ru/628beae0.php
- domain: basicvitals.com
- file: 191.101.131.227
- hash: 1177
- domain: callbak.link.com
- domain: chat.mrflame.cfd
- file: 198.12.120.209
- hash: 60101
- file: 185.224.128.90
- hash: 80
- file: 192.159.99.140
- hash: 4449
- file: 47.103.60.249
- hash: 60000
- file: 152.136.154.234
- hash: 8080
- file: 13.203.154.150
- hash: 443
- file: 210.245.86.150
- hash: 8080
- file: 34.30.160.123
- hash: 10443
- file: 35.168.219.78
- hash: 443
- file: 178.205.105.94
- hash: 3333
- file: 68.232.175.95
- hash: 443
- domain: bravo-rewards.com
- file: 125.25.102.161
- hash: 7443
- file: 154.53.41.5
- hash: 80
- file: 154.53.41.5
- hash: 443
- url: http://387780cm.nyashvibe.ru/providertrackwppublic.php
- file: 194.156.99.187
- hash: 82
- file: 113.45.225.150
- hash: 7777
- url: http://nitelume.shop/requestcpubigloadwpcentral.php
- hash: d86163423afa32bb0b793ad909d6b357
- hash: 34d8f42e67a6ae938554cb98f939b759
- url: https://wepwwd.live/iauh/api
- url: https://lepidobdkn.digital/taj
- url: https://heartokait.digital/gai
- url: https://https://t.me/stfmms/api
- file: 154.53.41.5
- hash: 1144
- domain: microsofte.zapto.org
- file: 38.247.14.167
- hash: 1337
- file: 107.163.43.144
- hash: 12388
- file: 107.163.241.193
- hash: 6520
- file: 107.163.241.181
- hash: 16300
- file: 96.45.244.194
- hash: 5129
- file: 202.162.99.65
- hash: 1523
- file: 107.163.56.240
- hash: 18963
- file: 107.163.56.241
- hash: 18530
- file: 107.163.56.251
- hash: 6658
- file: 119.45.71.218
- hash: 80
- file: 40.233.84.75
- hash: 9999
- file: 195.179.226.253
- hash: 2096
- file: 113.45.225.150
- hash: 6666
- file: 123.60.142.31
- hash: 80
- file: 49.235.113.177
- hash: 80
- file: 77.83.207.163
- hash: 5000
- file: 47.237.97.169
- hash: 8888
- file: 154.8.231.43
- hash: 443
- file: 141.8.199.79
- hash: 7777
- file: 78.135.82.65
- hash: 7777
- file: 196.120.22.122
- hash: 443
- file: 51.95.114.161
- hash: 4839
- file: 8.139.6.64
- hash: 47486
- file: 104.248.117.30
- hash: 3333
- file: 116.202.3.169
- hash: 443
- file: 85.203.4.56
- hash: 3434
- file: 85.234.100.245
- hash: 4321
- file: 195.206.234.15
- hash: 443
- file: 195.58.34.174
- hash: 8888
- file: 103.106.230.53
- hash: 5900
- file: 69.157.7.21
- hash: 2078
- file: 69.157.7.21
- hash: 2222
- file: 124.70.144.47
- hash: 4321
- file: 144.172.106.67
- hash: 4321
- domain: super.mrflame.cfd
- file: 164.92.253.61
- hash: 4321
- file: 123.249.20.20
- hash: 8082
- file: 212.192.15.213
- hash: 60000
- file: 3.88.14.227
- hash: 4321
- file: 43.138.186.236
- hash: 80
- file: 43.140.221.154
- hash: 4321
- file: 47.122.27.78
- hash: 54321
- file: 8.138.96.41
- hash: 50010
- file: 38.60.203.20
- hash: 443
- file: 119.91.130.241
- hash: 8828
- file: 47.102.209.177
- hash: 80
- file: 167.179.87.189
- hash: 8888
- file: 183.6.20.32
- hash: 4449
- file: 80.87.199.167
- hash: 8030
- file: 121.61.97.95
- hash: 50050
- file: 35.92.206.30
- hash: 31337
- file: 159.89.17.182
- hash: 31337
- file: 37.27.243.83
- hash: 31337
- file: 77.73.39.176
- hash: 4444
- file: 154.223.21.252
- hash: 4444
- file: 43.156.64.185
- hash: 4444
- file: 51.44.163.128
- hash: 8144
- file: 15.185.200.33
- hash: 5435
- file: 43.240.113.10
- hash: 8443
- file: 43.143.216.41
- hash: 9205
- file: 52.143.175.222
- hash: 1337
- file: 194.38.20.80
- hash: 54984
- file: 45.94.47.164
- hash: 9000
- file: 195.158.82.221
- hash: 4433
- url: http://mastercardkeys.world/pragmatical
- url: http://jetjetbrzil.shop/pragmatical
- url: http://twtliquidity.pro/pragmatical
- url: http://85.234.100.245/c2webserver/login/html/
- url: http://server13.cdneurops.health/
- url: http://server1.cdneurops.shop/
- url: https://pastebin.com/raw/xwqshhrb
- domain: krakep.duckdns.org
- domain: shop.xuebimc.com
- file: 51.195.211.236
- hash: 9728
- file: 154.223.132.91
- hash: 23001
- domain: net.drillrp.com
- domain: arcticprivate.duckdns.go
- domain: arcticprivate.duckdns.org
- file: 94.156.112.223
- hash: 55566
- domain: domaincrop.fun
- domain: plaxyrj.run
- domain: runtnwq.run
- domain: tyrpsrl.live
- domain: wepwwd.live
- file: 161.97.138.238
- hash: 8081
- file: 141.98.11.112
- hash: 2404
- file: 188.93.233.232
- hash: 4444
- file: 54.227.80.194
- hash: 80
- file: 146.59.156.28
- hash: 4444
- file: 54.219.75.80
- hash: 32092
- file: 111.229.187.190
- hash: 9443
- domain: cpanel.imirp.co.uk
- file: 156.251.19.84
- hash: 7777
- domain: claudeprofiling.com
- file: 179.43.176.26
- hash: 80
- domain: blindbut.icu
- file: 185.156.72.61
- hash: 80
- domain: loadsmods.net
- domain: stochalyqp.xyz
- domain: peppinqikp.xyz
- url: https://cpanel.imirp.co.uk/profilelayout
- file: 166.88.182.196
- hash: 443
- file: 45.227.252.251
- hash: 34561
- domain: 29a472b675379a4.homes
- domain: 29a472b675379a4.click
- domain: 29a472b675379a4.net
- domain: 29a472b675379a4.com
- domain: a9d2b15fbed0ca9.click
- domain: a9d2b15fbed0ca9.homes
- url: https://peppinqikp.xyz/xaow
- url: https://stochalyqp.xyz/alfp
- url: http://94.158.245.104/fakeurl.htm
- url: https://jaagnet.com/tsks.zip?9a9efb7a93cde5d3c531
- url: https://ministervase.icu/art.php
- url: https://hatescale.info/art.php
- url: http://skintemper.xyz/biu.php
- domain: edgepocket.info
- domain: 51.e2.4t.com
- url: https://51.e2.4t.com/
- url: https://3.cc.4t.com/
- domain: 3.cc.4t.com
- file: 116.202.7.162
- hash: 443
- file: 35.87.19.128
- hash: 443
- file: 143.244.136.94
- hash: 443
- file: 45.141.215.14
- hash: 8000
- file: 35.202.0.75
- hash: 80
- file: 193.36.15.250
- hash: 9000
- domain: 3gvvbrdve1gqr.cfc-execute.bj.baidubce.com
- file: 121.37.168.152
- hash: 4564
- file: 8.130.190.155
- hash: 8888
- file: 45.192.98.219
- hash: 443
- file: 113.44.135.36
- hash: 88
- file: 120.27.154.229
- hash: 80
- file: 43.240.12.185
- hash: 8080
- file: 115.76.200.35
- hash: 8808
- file: 176.97.117.128
- hash: 443
- file: 186.169.35.50
- hash: 8010
- file: 198.55.98.118
- hash: 1911
- file: 8.142.19.203
- hash: 60000
- file: 89.23.98.243
- hash: 32
- url: https://eastwahljc.live/tajs
- url: http://74.207.231.124/forum/viewtopic.php
- url: https://fleurdcuyt.digital/gal
- file: 185.208.159.224
- hash: 4444
- file: 60.205.183.232
- hash: 55555
- url: http://aodwahszxo.temp.swtest.ru/l1nc0in.php
ThreatFox IOCs for 2025-06-05
Description
ThreatFox IOCs for 2025-06-05
AI-Powered Analysis
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on June 5, 2025, by the ThreatFox MISP Feed. These IOCs are categorized under malware-related activities, specifically focusing on OSINT (Open Source Intelligence), payload delivery, and network activity. The data does not specify any particular malware family, affected software versions, or detailed technical characteristics of the threat. No Common Weakness Enumerations (CWEs) are associated, and there is no indication of known exploits in the wild or available patches. The threat level is indicated as medium, with a threatLevel score of 2, analysis score of 1, and distribution score of 3, suggesting moderate concern and distribution. The absence of detailed technical indicators or payload specifics limits the ability to deeply analyze the malware's behavior or attack vectors. The information appears to be primarily a collection of OSINT-derived IOCs intended for threat intelligence sharing rather than a detailed vulnerability or exploit report. The lack of patch availability and known exploits suggests this is either a newly observed threat or one that is still under investigation. The TLP (Traffic Light Protocol) classification is white, indicating the information is intended for public sharing without restrictions.
Potential Impact
For European organizations, the impact of this threat depends largely on the nature and accuracy of the IOCs provided. Since the threat involves payload delivery and network activity, there is a potential risk of malware infection leading to data exfiltration, system compromise, or disruption of services. However, the medium severity and lack of known exploits in the wild imply that immediate widespread impact is unlikely. Organizations that rely heavily on OSINT feeds for threat detection can benefit from integrating these IOCs into their security monitoring tools to enhance detection capabilities. The absence of specific affected products or versions means that the threat could be generic or targeting multiple platforms, which requires vigilance across diverse IT environments. European entities with critical infrastructure or sensitive data may face increased risk if these IOCs correspond to emerging malware campaigns targeting their sectors. Overall, the threat underscores the importance of proactive threat intelligence consumption and network monitoring to detect and respond to potential payload delivery attempts.
Mitigation Recommendations
1. Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to enhance detection of related malicious activities. 2. Conduct network traffic analysis focusing on anomalies that match the network activity patterns indicated by the IOCs. 3. Maintain updated threat intelligence feeds and cross-reference these IOCs with other sources to identify any emerging patterns or related threats. 4. Implement strict network segmentation and least privilege access controls to limit the potential spread of malware if payload delivery is successful. 5. Educate security teams on the importance of OSINT-based threat intelligence and encourage regular review of public threat feeds like ThreatFox. 6. Since no patches are available, emphasize robust incident response planning and rapid containment strategies in case of detection. 7. Employ multi-factor authentication and continuous monitoring to reduce the risk of initial compromise and lateral movement.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 6a89364a-73c6-4328-9e8b-fb141aa2924d
- Original Timestamp
- 1749168185
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainsecurity.guaedfleres.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainnemaodi.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainrobertocalimera.icu | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainjetjetbrzil.shop | Crocodilus botnet C2 domain (confidence level: 100%) | |
domainmastercardkeys.world | Crocodilus botnet C2 domain (confidence level: 100%) | |
domainbasicvitals.com | Brute Ratel C4 botnet C2 domain (confidence level: 100%) | |
domaincallbak.link.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainchat.mrflame.cfd | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainbravo-rewards.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainmicrosofte.zapto.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainsuper.mrflame.cfd | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainkrakep.duckdns.org | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainshop.xuebimc.com | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainnet.drillrp.com | Mirai botnet C2 domain (confidence level: 50%) | |
domainarcticprivate.duckdns.go | Nanocore RAT botnet C2 domain (confidence level: 50%) | |
domainarcticprivate.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 50%) | |
domaindomaincrop.fun | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainplaxyrj.run | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainruntnwq.run | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domaintyrpsrl.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domainwepwwd.live | Lumma Stealer botnet C2 domain (confidence level: 50%) | |
domaincpanel.imirp.co.uk | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domainclaudeprofiling.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainblindbut.icu | Amadey botnet C2 domain (confidence level: 50%) | |
domainloadsmods.net | Amadey botnet C2 domain (confidence level: 50%) | |
domainstochalyqp.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainpeppinqikp.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domain29a472b675379a4.homes | Crocodilus botnet C2 domain (confidence level: 100%) | |
domain29a472b675379a4.click | Crocodilus botnet C2 domain (confidence level: 100%) | |
domain29a472b675379a4.net | Crocodilus botnet C2 domain (confidence level: 100%) | |
domain29a472b675379a4.com | Crocodilus botnet C2 domain (confidence level: 100%) | |
domaina9d2b15fbed0ca9.click | Crocodilus botnet C2 domain (confidence level: 100%) | |
domaina9d2b15fbed0ca9.homes | Crocodilus botnet C2 domain (confidence level: 100%) | |
domainedgepocket.info | Unknown Loader botnet C2 domain (confidence level: 100%) | |
domain51.e2.4t.com | Vidar botnet C2 domain (confidence level: 100%) | |
domain3.cc.4t.com | Vidar botnet C2 domain (confidence level: 100%) | |
domain3gvvbrdve1gqr.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://nemaodi.com/flare.msi | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttp://cs16566.tw1.ru/628beae0.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://387780cm.nyashvibe.ru/providertrackwppublic.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://nitelume.shop/requestcpubigloadwpcentral.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://wepwwd.live/iauh/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://lepidobdkn.digital/taj | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://heartokait.digital/gai | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://https://t.me/stfmms/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://mastercardkeys.world/pragmatical | Crocodilus botnet C2 (confidence level: 50%) | |
urlhttp://jetjetbrzil.shop/pragmatical | Crocodilus botnet C2 (confidence level: 50%) | |
urlhttp://twtliquidity.pro/pragmatical | Crocodilus botnet C2 (confidence level: 50%) | |
urlhttp://85.234.100.245/c2webserver/login/html/ | AdaptixC2 botnet C2 (confidence level: 50%) | |
urlhttp://server13.cdneurops.health/ | Glupteba botnet C2 (confidence level: 50%) | |
urlhttp://server1.cdneurops.shop/ | Glupteba botnet C2 (confidence level: 50%) | |
urlhttps://pastebin.com/raw/xwqshhrb | AsyncRAT botnet C2 (confidence level: 50%) | |
urlhttps://cpanel.imirp.co.uk/profilelayout | FAKEUPDATES botnet C2 (confidence level: 100%) | |
urlhttps://peppinqikp.xyz/xaow | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://stochalyqp.xyz/alfp | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://94.158.245.104/fakeurl.htm | NetSupportManager RAT botnet C2 (confidence level: 100%) | |
urlhttps://jaagnet.com/tsks.zip?9a9efb7a93cde5d3c531 | NetSupportManager RAT botnet C2 (confidence level: 100%) | |
urlhttps://ministervase.icu/art.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://hatescale.info/art.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttp://skintemper.xyz/biu.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttps://51.e2.4t.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://3.cc.4t.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://eastwahljc.live/tajs | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://74.207.231.124/forum/viewtopic.php | Pony botnet C2 (confidence level: 100%) | |
urlhttps://fleurdcuyt.digital/gal | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://aodwahszxo.temp.swtest.ru/l1nc0in.php | DCRat botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file79.141.160.153 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file47.105.120.230 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file120.26.98.120 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file47.95.31.143 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file44.203.208.169 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file47.111.154.80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.100.9.138 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file179.43.176.3 | Remcos botnet C2 server (confidence level: 100%) | |
file154.247.135.60 | Sliver botnet C2 server (confidence level: 100%) | |
file38.46.221.61 | Sliver botnet C2 server (confidence level: 100%) | |
file188.153.68.162 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file191.101.131.227 | NjRAT botnet C2 server (confidence level: 100%) | |
file198.12.120.209 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.224.128.90 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file192.159.99.140 | Venom RAT botnet C2 server (confidence level: 100%) | |
file47.103.60.249 | Unknown malware botnet C2 server (confidence level: 100%) | |
file152.136.154.234 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.203.154.150 | Unknown malware botnet C2 server (confidence level: 100%) | |
file210.245.86.150 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.30.160.123 | Unknown malware botnet C2 server (confidence level: 100%) | |
file35.168.219.78 | Unknown malware botnet C2 server (confidence level: 100%) | |
file178.205.105.94 | Unknown malware botnet C2 server (confidence level: 100%) | |
file68.232.175.95 | Unknown malware botnet C2 server (confidence level: 100%) | |
file125.25.102.161 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file154.53.41.5 | XWorm botnet C2 server (confidence level: 100%) | |
file154.53.41.5 | XWorm botnet C2 server (confidence level: 100%) | |
file194.156.99.187 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.45.225.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.53.41.5 | XWorm botnet C2 server (confidence level: 100%) | |
file38.247.14.167 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file107.163.43.144 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file107.163.241.193 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file107.163.241.181 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file96.45.244.194 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file202.162.99.65 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file107.163.56.240 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file107.163.56.241 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file107.163.56.251 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file119.45.71.218 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file40.233.84.75 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file195.179.226.253 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.45.225.150 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.60.142.31 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file49.235.113.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file77.83.207.163 | Remcos botnet C2 server (confidence level: 100%) | |
file47.237.97.169 | Unknown malware botnet C2 server (confidence level: 100%) | |
file154.8.231.43 | Havoc botnet C2 server (confidence level: 100%) | |
file141.8.199.79 | DCRat botnet C2 server (confidence level: 100%) | |
file78.135.82.65 | DCRat botnet C2 server (confidence level: 100%) | |
file196.120.22.122 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file51.95.114.161 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file8.139.6.64 | Chaos botnet C2 server (confidence level: 100%) | |
file104.248.117.30 | Unknown malware botnet C2 server (confidence level: 100%) | |
file116.202.3.169 | Vidar botnet C2 server (confidence level: 100%) | |
file85.203.4.56 | NjRAT botnet C2 server (confidence level: 100%) | |
file85.234.100.245 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file195.206.234.15 | BianLian botnet C2 server (confidence level: 75%) | |
file195.58.34.174 | Sliver botnet C2 server (confidence level: 75%) | |
file103.106.230.53 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file69.157.7.21 | QakBot botnet C2 server (confidence level: 75%) | |
file69.157.7.21 | QakBot botnet C2 server (confidence level: 75%) | |
file124.70.144.47 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file144.172.106.67 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file164.92.253.61 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file123.249.20.20 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file212.192.15.213 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file3.88.14.227 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file43.138.186.236 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file43.140.221.154 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file47.122.27.78 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file8.138.96.41 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
file38.60.203.20 | PlugX botnet C2 server (confidence level: 75%) | |
file119.91.130.241 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file47.102.209.177 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file167.179.87.189 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file183.6.20.32 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file80.87.199.167 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file121.61.97.95 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file35.92.206.30 | Sliver botnet C2 server (confidence level: 50%) | |
file159.89.17.182 | Sliver botnet C2 server (confidence level: 50%) | |
file37.27.243.83 | Sliver botnet C2 server (confidence level: 50%) | |
file77.73.39.176 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
file154.223.21.252 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
file43.156.64.185 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
file51.44.163.128 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file15.185.200.33 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file43.240.113.10 | Unknown malware botnet C2 server (confidence level: 50%) | |
file43.143.216.41 | Unknown malware botnet C2 server (confidence level: 50%) | |
file52.143.175.222 | Unknown malware botnet C2 server (confidence level: 50%) | |
file194.38.20.80 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
file45.94.47.164 | SectopRAT botnet C2 server (confidence level: 50%) | |
file195.158.82.221 | Havoc botnet C2 server (confidence level: 50%) | |
file51.195.211.236 | AsyncRAT botnet C2 server (confidence level: 50%) | |
file154.223.132.91 | Unknown malware botnet C2 server (confidence level: 50%) | |
file94.156.112.223 | Remcos botnet C2 server (confidence level: 50%) | |
file161.97.138.238 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file141.98.11.112 | Remcos botnet C2 server (confidence level: 100%) | |
file188.93.233.232 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file54.227.80.194 | Havoc botnet C2 server (confidence level: 100%) | |
file146.59.156.28 | DCRat botnet C2 server (confidence level: 100%) | |
file54.219.75.80 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file111.229.187.190 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file156.251.19.84 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file179.43.176.26 | Amadey botnet C2 server (confidence level: 50%) | |
file185.156.72.61 | Amadey botnet C2 server (confidence level: 50%) | |
file166.88.182.196 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file45.227.252.251 | Aurotun Stealer botnet C2 server (confidence level: 100%) | |
file116.202.7.162 | Vidar botnet C2 server (confidence level: 100%) | |
file35.87.19.128 | Sliver botnet C2 server (confidence level: 100%) | |
file143.244.136.94 | Sliver botnet C2 server (confidence level: 100%) | |
file45.141.215.14 | Sliver botnet C2 server (confidence level: 100%) | |
file35.202.0.75 | Havoc botnet C2 server (confidence level: 100%) | |
file193.36.15.250 | Havoc botnet C2 server (confidence level: 100%) | |
file121.37.168.152 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.130.190.155 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.192.98.219 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.44.135.36 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file120.27.154.229 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.240.12.185 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file115.76.200.35 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file176.97.117.128 | Unknown malware botnet C2 server (confidence level: 100%) | |
file186.169.35.50 | DCRat botnet C2 server (confidence level: 100%) | |
file198.55.98.118 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file8.142.19.203 | Unknown malware botnet C2 server (confidence level: 75%) | |
file89.23.98.243 | N-W0rm botnet C2 server (confidence level: 100%) | |
file185.208.159.224 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file60.205.183.232 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash69575d53f0cb5f56293ac9f000889d2b6cb8e78411aa4b954119abe62260cdac | Crocodilus payload (confidence level: 100%) | |
hashc55df59ba08f65d53695c37a712a280d944fd1b251319b7049396a77d3bc93e2 | Crocodilus payload (confidence level: 100%) | |
hash65955cfb6f9fe3c3398c67ba936637e19faca3058cf0a2748b2a72e533740109 | Crocodilus payload (confidence level: 100%) | |
hash7b6f0650b61266f4cceeb300b57980b997e8d81e522e4d00c6b5e35641250df9 | Crocodilus payload (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash20298 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3397 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash34613 | Sliver botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 100%) | |
hash60101 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash10443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | XWorm botnet C2 server (confidence level: 100%) | |
hash443 | XWorm botnet C2 server (confidence level: 100%) | |
hash82 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7777 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hashd86163423afa32bb0b793ad909d6b357 | Unknown malware payload (confidence level: 50%) | |
hash34d8f42e67a6ae938554cb98f939b759 | Unknown malware payload (confidence level: 50%) | |
hash1144 | XWorm botnet C2 server (confidence level: 100%) | |
hash1337 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash12388 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash6520 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash16300 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash5129 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash1523 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash18963 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash18530 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash6658 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2096 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6666 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5000 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash7777 | DCRat botnet C2 server (confidence level: 100%) | |
hash7777 | DCRat botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4839 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash47486 | Chaos botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash3434 | NjRAT botnet C2 server (confidence level: 100%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash443 | BianLian botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash5900 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash2078 | QakBot botnet C2 server (confidence level: 75%) | |
hash2222 | QakBot botnet C2 server (confidence level: 75%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash8082 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash60000 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash80 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash4321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash54321 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash50010 | AdaptixC2 botnet C2 server (confidence level: 75%) | |
hash443 | PlugX botnet C2 server (confidence level: 75%) | |
hash8828 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash4449 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash8030 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash50050 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash4444 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
hash4444 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
hash4444 | AdaptixC2 botnet C2 server (confidence level: 50%) | |
hash8144 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash5435 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash9205 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash1337 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash54984 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 50%) | |
hash4433 | Havoc botnet C2 server (confidence level: 50%) | |
hash9728 | AsyncRAT botnet C2 server (confidence level: 50%) | |
hash23001 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash55566 | Remcos botnet C2 server (confidence level: 50%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash4444 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash4444 | DCRat botnet C2 server (confidence level: 100%) | |
hash32092 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash9443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7777 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash34561 | Aurotun Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8000 | Sliver botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash9000 | Havoc botnet C2 server (confidence level: 100%) | |
hash4564 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash88 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8010 | DCRat botnet C2 server (confidence level: 100%) | |
hash1911 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 75%) | |
hash32 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash55555 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Threat ID: 68490f133cd93dcca832046b
Added to database: 6/11/2025, 5:07:31 AM
Last enriched: 7/12/2025, 5:04:26 AM
Last updated: 8/7/2025, 8:25:00 AM
Views: 40
Related Threats
ThreatFox IOCs for 2025-08-11
MediumFrom ClickFix to Command: A Full PowerShell Attack Chain
MediumNorth Korean Group ScarCruft Expands From Spying to Ransomware Attacks
MediumMedusaLocker ransomware group is looking for pentesters
MediumThreatFox IOCs for 2025-08-10
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.