ThreatFox IOCs for 2025-06-24
ThreatFox IOCs for 2025-06-24
AI Analysis
Technical Summary
The provided threat intelligence relates to a malware-related report titled "ThreatFox IOCs for 2025-06-24," sourced from the ThreatFox MISP Feed. The threat is categorized primarily under OSINT (Open Source Intelligence), payload delivery, and network activity. The information indicates that this is a medium severity threat with no specific affected product versions or patches available, and no known exploits currently active in the wild. The lack of concrete indicators of compromise (IOCs) or detailed technical specifics suggests this report is more of a situational awareness update rather than a detailed vulnerability or exploit disclosure. The threat level is rated as 2 on an unspecified scale, with moderate distribution (3) and minimal analysis (1), implying limited current understanding or impact. The absence of Common Weakness Enumeration (CWE) identifiers and no patch availability further indicates this is likely a newly observed or emerging threat vector primarily involving OSINT techniques to facilitate payload delivery and network-based malicious activity. Given the nature of OSINT and network activity, the threat could involve reconnaissance, data gathering, or initial infection stages that precede more severe attacks. However, the lack of known exploits and specific affected software versions reduces immediate risk. The TLP (Traffic Light Protocol) white tag suggests the information is intended for broad distribution without restrictions.
Potential Impact
For European organizations, the impact of this threat is currently limited but should not be underestimated. Since the threat involves OSINT and network activity related to payload delivery, it could be used as a precursor to more targeted attacks such as phishing, malware deployment, or lateral movement within networks. Organizations relying heavily on open-source intelligence for decision-making or those with extensive network exposure could be at risk of reconnaissance and subsequent exploitation attempts. The absence of known exploits and patches means that the threat is likely in an early stage, but the medium severity rating indicates potential for escalation. If leveraged effectively by threat actors, this could lead to confidentiality breaches, integrity compromises, or availability disruptions, especially if payload delivery results in malware infections. European entities in sectors with high network interconnectivity or those targeted by advanced persistent threats (APTs) should remain vigilant. The lack of specific IOCs limits immediate detection capabilities, increasing the risk of undetected reconnaissance and initial compromise.
Mitigation Recommendations
Given the nature of this threat, European organizations should adopt a proactive and layered defense approach beyond generic advice. Specific recommendations include: 1) Enhance network monitoring to detect unusual outbound or inbound traffic patterns that may indicate OSINT-driven reconnaissance or payload delivery attempts. 2) Implement strict segmentation and micro-segmentation to limit lateral movement if initial compromise occurs. 3) Employ threat intelligence sharing platforms to rapidly update and disseminate any emerging IOCs related to this threat. 4) Conduct regular employee training focused on recognizing social engineering and phishing attempts that may be facilitated by OSINT activities. 5) Utilize advanced endpoint detection and response (EDR) tools capable of identifying anomalous payload delivery behaviors. 6) Harden external-facing services and minimize exposed attack surfaces to reduce the effectiveness of network-based reconnaissance. 7) Regularly review and update incident response plans to incorporate scenarios involving OSINT-enabled payload delivery. These targeted measures will help mitigate the risk posed by this evolving threat vector.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- domain: webdatacache.com
- url: http://95.164.53.45/api/ytasodysodisowqsytesodgsotasotusnjusn2qs
- url: http://77.105.164.178/api/ytasodysodisowqsytesodgsotasotusnjusn2qs
- url: https://swedrent.com/3c7b.js
- url: https://swedrent.com/js.php
- url: https://devindicator.dev/webgl.wav
- domain: devindicator.dev
- url: https://jswebcloud.com/sync.adv.min.js
- url: https://leatherbook.org/sr0ymlwkoocyizuxcrfr3hwgupyipamxa-glcdabjew
- url: http://185.157.213.40/ver/0622/dat1/dtbeuj.pdf
- file: 195.82.146.92
- hash: 80
- url: http://195.82.146.92/23be681439654a60.php
- domain: security.fhqreagurard.com
- domain: dovlica.com
- url: https://dovlica.com/shield.msi
- file: 77.232.41.51
- hash: 27862
- file: 77.232.41.51
- hash: 27589
- file: 194.68.225.195
- hash: 29491
- file: 77.232.41.51
- hash: 21695
- url: http://141.98.6.56/api/ytasodysodisowqsytesodgsotasotusnjusn2qs
- file: 31.59.185.111
- hash: 80
- file: 115.190.74.103
- hash: 9333
- file: 62.234.153.73
- hash: 443
- file: 47.102.209.177
- hash: 33221
- file: 113.45.148.46
- hash: 80
- file: 42.51.40.191
- hash: 8080
- file: 194.59.30.68
- hash: 2404
- file: 158.180.231.221
- hash: 31337
- file: 34.85.142.2
- hash: 443
- file: 196.251.88.108
- hash: 1337
- file: 160.25.7.240
- hash: 80
- file: 160.25.7.240
- hash: 7443
- file: 139.59.16.42
- hash: 443
- file: 139.59.16.42
- hash: 7443
- file: 91.92.46.12
- hash: 80
- file: 35.170.185.100
- hash: 443
- file: 83.147.247.70
- hash: 7777
- file: 3.36.127.61
- hash: 6697
- file: 16.16.28.179
- hash: 18245
- file: 16.16.28.179
- hash: 445
- file: 156.244.1.13
- hash: 443
- file: 77.90.153.88
- hash: 443
- url: http://a1139694.xsph.ru/0160b1ec.php
- domain: ecs-1-94-41-160.compute.hwclouds-dns.com
- domain: imap.dkairsystems.com
- domain: arni110.painhealingcenter.com
- file: 20.89.73.220
- hash: 80
- file: 123.60.55.180
- hash: 80
- file: 4.201.115.65
- hash: 31337
- file: 154.9.25.38
- hash: 8888
- file: 95.129.235.106
- hash: 8888
- file: 66.179.92.184
- hash: 443
- file: 45.138.16.246
- hash: 8088
- file: 45.138.16.246
- hash: 8808
- file: 45.138.16.246
- hash: 7707
- domain: ec2-100-25-215-41.compute-1.amazonaws.com
- file: 91.92.46.12
- hash: 8080
- file: 63.177.241.22
- hash: 2380
- file: 13.158.139.252
- hash: 2083
- file: 107.175.87.229
- hash: 3333
- file: 52.58.136.199
- hash: 80
- file: 52.58.136.199
- hash: 443
- file: 102.209.68.150
- hash: 3333
- file: 82.147.84.186
- hash: 1724
- file: 176.98.185.91
- hash: 443
- file: 3.138.37.3
- hash: 3333
- file: 52.77.254.163
- hash: 443
- file: 84.200.192.247
- hash: 8443
- file: 178.172.172.205
- hash: 8080
- file: 61.178.200.6
- hash: 8080
- file: 13.204.83.93
- hash: 443
- file: 139.59.46.33
- hash: 3333
- file: 61.178.200.12
- hash: 8080
- file: 95.130.160.253
- hash: 8251
- file: 13.210.249.235
- hash: 3333
- file: 45.192.176.104
- hash: 8090
- file: 3.98.131.98
- hash: 443
- file: 196.251.69.173
- hash: 1915
- file: 196.251.66.55
- hash: 2404
- url: http://airplanemove.info/yut.php
- domain: eyeagreement.info
- file: 195.186.208.193
- hash: 3033
- file: 54.211.223.112
- hash: 16465
- domain: rem.aaahorneswll.com
- domain: systemcopilotdriver.ydns.eu
- domain: kamdumbk.duckdns.org
- domain: kamdum.duckdns.org
- domain: wmieventlogonlinehelp.ydns.eu
- file: 47.94.91.13
- hash: 80
- file: 121.37.190.172
- hash: 443
- file: 196.251.117.41
- hash: 8888
- file: 196.251.117.41
- hash: 8443
- file: 39.106.152.200
- hash: 443
- file: 156.227.233.153
- hash: 4433
- file: 188.166.236.93
- hash: 8080
- file: 172.94.96.144
- hash: 6606
- file: 75.69.164.4
- hash: 6606
- file: 44.251.164.0
- hash: 7443
- file: 157.230.34.254
- hash: 80
- domain: adiobast.icu
- domain: securityhealthsystray.ydns.eu
- file: 95.142.45.249
- hash: 636
- file: 150.158.46.102
- hash: 81
- file: 121.36.62.154
- hash: 8081
- file: 106.53.115.217
- hash: 80
- file: 38.181.219.238
- hash: 8080
- file: 1.94.247.165
- hash: 8888
- file: 107.174.88.61
- hash: 4443
- file: 107.174.88.61
- hash: 80
- file: 72.155.88.31
- hash: 80
- file: 209.137.201.20
- hash: 443
- file: 51.15.193.108
- hash: 40056
- file: 51.211.213.23
- hash: 995
- file: 67.61.43.148
- hash: 443
- file: 70.31.125.48
- hash: 2078
- file: 95.211.43.236
- hash: 55615
- file: 95.182.101.66
- hash: 443
- file: 123.56.6.7
- hash: 2053
- file: 106.52.239.89
- hash: 80
- file: 95.215.204.85
- hash: 63513
- file: 185.149.24.141
- hash: 2404
- file: 155.133.26.179
- hash: 2404
- file: 23.227.203.244
- hash: 443
- file: 167.99.244.140
- hash: 7443
- file: 41.36.84.42
- hash: 1339
- file: 179.43.186.224
- hash: 443
- file: 216.144.227.103
- hash: 443
- file: 94.158.245.135
- hash: 443
- domain: 1357965137-hnjcoxitoz.ap-guangzhou.tencentscf.com
- domain: 28k85x5jb1k9a.cfc-execute.bj.baidubce.com
- domain: kerneltaskmanager.com
- domain: owa.kerneltaskmanager.com
- domain: profile.kerneltaskmanager.com
- file: 104.223.120.202
- hash: 8080
- file: 107.149.192.54
- hash: 7443
- file: 107.149.192.57
- hash: 7443
- domain: folders.emeraldpinesolutions.com
- file: 120.27.235.78
- hash: 82
- url: http://45.141.233.187/274573807382bb15.php
- file: 45.88.91.254
- hash: 7707
- file: 154.22.5.243
- hash: 2424
- domain: top-inform.gl.at.ply.gg
- domain: dgost5.duckdns.org
- url: https://evricourier-notice.top/api
- domain: tpinauskas-54803.portmap.host
- file: 89.10.178.51
- hash: 4782
- domain: letsqooo-62766.portmap.host
- file: 182.253.58.75
- hash: 4782
- domain: microsoftsys.ddns.net
- domain: dez3452-33187.portmap.host
- url: https://folders.emeraldpinesolutions.com/viewdashboard
- file: 23.146.184.117
- hash: 443
- file: 73.62.14.5
- hash: 4782
- file: 137.184.144.245
- hash: 4782
- domain: yzs-42879.portmap.host
- domain: connectdadad.ddns.net
- domain: www.ferrylin.com
- domain: www.screence.store
- domain: basefashionsbd.duckdns.org
- file: 45.62.170.181
- hash: 2404
- domain: noneeds.dynuddns.com
- domain: zip.mysynology.net
- domain: lohoainam2008-36048.portmap.io
- domain: skido.hopto.org
- domain: talk-chief.gl.at.ply.gg
- domain: security-territory.gl.at.ply.gg
- file: 85.203.4.68
- hash: 5000
- file: 216.9.225.221
- hash: 23029
- file: 216.9.225.221
- hash: 8304
- domain: newdayplss.duckdns.org
- domain: deepholeintheworld.com
- file: 43.163.84.111
- hash: 443
- file: 132.232.166.80
- hash: 443
- file: 124.198.132.213
- hash: 9999
- file: 164.68.120.30
- hash: 2222
- file: 34.176.213.31
- hash: 443
- file: 81.43.20.0
- hash: 443
- file: 194.59.30.239
- hash: 443
- file: 15.168.13.231
- hash: 2086
- file: 94.74.106.10
- hash: 8080
- file: 196.251.117.166
- hash: 80
- url: https://b2.xs.mastermaths.com.sg/
- domain: b2.xs.mastermaths.com.sg
- domain: cdn.panggexxx9823.top
- file: 8.138.23.192
- hash: 443
- file: 204.12.254.98
- hash: 80
- file: 204.12.254.98
- hash: 443
- file: 184.75.208.178
- hash: 2758
- file: 93.152.217.141
- hash: 80
- file: 45.8.159.172
- hash: 443
- file: 13.60.233.186
- hash: 80
- file: 103.190.107.26
- hash: 443
- file: 34.0.227.68
- hash: 443
- file: 43.198.187.252
- hash: 7443
- file: 206.206.126.179
- hash: 22
- file: 150.136.49.213
- hash: 19443
- file: 154.246.71.41
- hash: 22
- file: 156.244.14.177
- hash: 443
- file: 2.50.13.192
- hash: 443
- file: 35.152.189.99
- hash: 443
- file: 52.143.134.94
- hash: 443
- file: 92.116.89.198
- hash: 443
- file: 156.245.12.129
- hash: 443
- file: 182.16.78.242
- hash: 443
- file: 104.223.120.202
- hash: 80
ThreatFox IOCs for 2025-06-24
Description
ThreatFox IOCs for 2025-06-24
AI-Powered Analysis
Technical Analysis
The provided threat intelligence relates to a malware-related report titled "ThreatFox IOCs for 2025-06-24," sourced from the ThreatFox MISP Feed. The threat is categorized primarily under OSINT (Open Source Intelligence), payload delivery, and network activity. The information indicates that this is a medium severity threat with no specific affected product versions or patches available, and no known exploits currently active in the wild. The lack of concrete indicators of compromise (IOCs) or detailed technical specifics suggests this report is more of a situational awareness update rather than a detailed vulnerability or exploit disclosure. The threat level is rated as 2 on an unspecified scale, with moderate distribution (3) and minimal analysis (1), implying limited current understanding or impact. The absence of Common Weakness Enumeration (CWE) identifiers and no patch availability further indicates this is likely a newly observed or emerging threat vector primarily involving OSINT techniques to facilitate payload delivery and network-based malicious activity. Given the nature of OSINT and network activity, the threat could involve reconnaissance, data gathering, or initial infection stages that precede more severe attacks. However, the lack of known exploits and specific affected software versions reduces immediate risk. The TLP (Traffic Light Protocol) white tag suggests the information is intended for broad distribution without restrictions.
Potential Impact
For European organizations, the impact of this threat is currently limited but should not be underestimated. Since the threat involves OSINT and network activity related to payload delivery, it could be used as a precursor to more targeted attacks such as phishing, malware deployment, or lateral movement within networks. Organizations relying heavily on open-source intelligence for decision-making or those with extensive network exposure could be at risk of reconnaissance and subsequent exploitation attempts. The absence of known exploits and patches means that the threat is likely in an early stage, but the medium severity rating indicates potential for escalation. If leveraged effectively by threat actors, this could lead to confidentiality breaches, integrity compromises, or availability disruptions, especially if payload delivery results in malware infections. European entities in sectors with high network interconnectivity or those targeted by advanced persistent threats (APTs) should remain vigilant. The lack of specific IOCs limits immediate detection capabilities, increasing the risk of undetected reconnaissance and initial compromise.
Mitigation Recommendations
Given the nature of this threat, European organizations should adopt a proactive and layered defense approach beyond generic advice. Specific recommendations include: 1) Enhance network monitoring to detect unusual outbound or inbound traffic patterns that may indicate OSINT-driven reconnaissance or payload delivery attempts. 2) Implement strict segmentation and micro-segmentation to limit lateral movement if initial compromise occurs. 3) Employ threat intelligence sharing platforms to rapidly update and disseminate any emerging IOCs related to this threat. 4) Conduct regular employee training focused on recognizing social engineering and phishing attempts that may be facilitated by OSINT activities. 5) Utilize advanced endpoint detection and response (EDR) tools capable of identifying anomalous payload delivery behaviors. 6) Harden external-facing services and minimize exposed attack surfaces to reduce the effectiveness of network-based reconnaissance. 7) Regularly review and update incident response plans to incorporate scenarios involving OSINT-enabled payload delivery. These targeted measures will help mitigate the risk posed by this evolving threat vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 921ff70e-bb8a-4cd7-98ab-46e900e4b7dc
- Original Timestamp
- 1750809786
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwebdatacache.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domaindevindicator.dev | KongTuke payload delivery domain (confidence level: 100%) | |
domainsecurity.fhqreagurard.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaindovlica.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainecs-1-94-41-160.compute.hwclouds-dns.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainimap.dkairsystems.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainarni110.painhealingcenter.com | Cobalt Strike botnet C2 domain (confidence level: 100%) | |
domainec2-100-25-215-41.compute-1.amazonaws.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domaineyeagreement.info | Unknown Loader botnet C2 domain (confidence level: 100%) | |
domainrem.aaahorneswll.com | Remcos botnet C2 domain (confidence level: 100%) | |
domainsystemcopilotdriver.ydns.eu | Remcos botnet C2 domain (confidence level: 100%) | |
domainkamdumbk.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainkamdum.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainwmieventlogonlinehelp.ydns.eu | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainadiobast.icu | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainsecurityhealthsystray.ydns.eu | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domain1357965137-hnjcoxitoz.ap-guangzhou.tencentscf.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domain28k85x5jb1k9a.cfc-execute.bj.baidubce.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainkerneltaskmanager.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainowa.kerneltaskmanager.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainprofile.kerneltaskmanager.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainfolders.emeraldpinesolutions.com | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domaintop-inform.gl.at.ply.gg | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaindgost5.duckdns.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaintpinauskas-54803.portmap.host | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainletsqooo-62766.portmap.host | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainmicrosoftsys.ddns.net | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domaindez3452-33187.portmap.host | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainyzs-42879.portmap.host | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainconnectdadad.ddns.net | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainwww.ferrylin.com | Remcos botnet C2 domain (confidence level: 100%) | |
domainwww.screence.store | Remcos botnet C2 domain (confidence level: 100%) | |
domainbasefashionsbd.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainnoneeds.dynuddns.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainzip.mysynology.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainlohoainam2008-36048.portmap.io | XWorm botnet C2 domain (confidence level: 100%) | |
domainskido.hopto.org | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domaintalk-chief.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domainsecurity-territory.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domainnewdayplss.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domaindeepholeintheworld.com | NetSupportManager RAT botnet C2 domain (confidence level: 100%) | |
domainb2.xs.mastermaths.com.sg | Vidar botnet C2 domain (confidence level: 100%) | |
domaincdn.panggexxx9823.top | Cobalt Strike botnet C2 domain (confidence level: 75%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://95.164.53.45/api/ytasodysodisowqsytesodgsotasotusnjusn2qs | SmartLoader botnet C2 (confidence level: 75%) | |
urlhttp://77.105.164.178/api/ytasodysodisowqsytesodgsotasotusnjusn2qs | SmartLoader botnet C2 (confidence level: 75%) | |
urlhttps://swedrent.com/3c7b.js | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://swedrent.com/js.php | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://devindicator.dev/webgl.wav | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://jswebcloud.com/sync.adv.min.js | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://leatherbook.org/sr0ymlwkoocyizuxcrfr3hwgupyipamxa-glcdabjew | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttp://185.157.213.40/ver/0622/dat1/dtbeuj.pdf | PureCrypter botnet C2 (confidence level: 75%) | |
urlhttp://195.82.146.92/23be681439654a60.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://dovlica.com/shield.msi | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttp://141.98.6.56/api/ytasodysodisowqsytesodgsotasotusnjusn2qs | SmartLoader botnet C2 (confidence level: 75%) | |
urlhttp://a1139694.xsph.ru/0160b1ec.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://airplanemove.info/yut.php | Unknown Loader botnet C2 (confidence level: 100%) | |
urlhttp://45.141.233.187/274573807382bb15.php | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://evricourier-notice.top/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://folders.emeraldpinesolutions.com/viewdashboard | FAKEUPDATES botnet C2 (confidence level: 100%) | |
urlhttps://b2.xs.mastermaths.com.sg/ | Vidar botnet C2 (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file195.82.146.92 | Stealc botnet C2 server (confidence level: 100%) | |
file77.232.41.51 | Mirai botnet C2 server (confidence level: 100%) | |
file77.232.41.51 | Mirai botnet C2 server (confidence level: 100%) | |
file194.68.225.195 | Mirai botnet C2 server (confidence level: 100%) | |
file77.232.41.51 | Mirai botnet C2 server (confidence level: 100%) | |
file31.59.185.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.190.74.103 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file62.234.153.73 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.102.209.177 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file113.45.148.46 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.51.40.191 | Ghost RAT botnet C2 server (confidence level: 100%) | |
file194.59.30.68 | Remcos botnet C2 server (confidence level: 100%) | |
file158.180.231.221 | Sliver botnet C2 server (confidence level: 100%) | |
file34.85.142.2 | Sliver botnet C2 server (confidence level: 100%) | |
file196.251.88.108 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file160.25.7.240 | Unknown malware botnet C2 server (confidence level: 100%) | |
file160.25.7.240 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.59.16.42 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.59.16.42 | Unknown malware botnet C2 server (confidence level: 100%) | |
file91.92.46.12 | Hook botnet C2 server (confidence level: 100%) | |
file35.170.185.100 | Havoc botnet C2 server (confidence level: 100%) | |
file83.147.247.70 | DCRat botnet C2 server (confidence level: 100%) | |
file3.36.127.61 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file16.16.28.179 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file16.16.28.179 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file156.244.1.13 | Nimplant botnet C2 server (confidence level: 100%) | |
file77.90.153.88 | Latrodectus botnet C2 server (confidence level: 90%) | |
file20.89.73.220 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.60.55.180 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file4.201.115.65 | Sliver botnet C2 server (confidence level: 90%) | |
file154.9.25.38 | Unknown malware botnet C2 server (confidence level: 100%) | |
file95.129.235.106 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file66.179.92.184 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.138.16.246 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.138.16.246 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file45.138.16.246 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file91.92.46.12 | ERMAC botnet C2 server (confidence level: 100%) | |
file63.177.241.22 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file13.158.139.252 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file107.175.87.229 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.58.136.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.58.136.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file102.209.68.150 | Unknown malware botnet C2 server (confidence level: 100%) | |
file82.147.84.186 | Unknown malware botnet C2 server (confidence level: 100%) | |
file176.98.185.91 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.138.37.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.77.254.163 | Unknown malware botnet C2 server (confidence level: 100%) | |
file84.200.192.247 | Unknown malware botnet C2 server (confidence level: 100%) | |
file178.172.172.205 | Unknown malware botnet C2 server (confidence level: 100%) | |
file61.178.200.6 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.204.83.93 | Unknown malware botnet C2 server (confidence level: 100%) | |
file139.59.46.33 | Unknown malware botnet C2 server (confidence level: 100%) | |
file61.178.200.12 | Unknown malware botnet C2 server (confidence level: 100%) | |
file95.130.160.253 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.210.249.235 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.192.176.104 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.98.131.98 | Unknown malware botnet C2 server (confidence level: 100%) | |
file196.251.69.173 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file196.251.66.55 | Remcos botnet C2 server (confidence level: 75%) | |
file195.186.208.193 | XWorm botnet C2 server (confidence level: 75%) | |
file54.211.223.112 | Remcos botnet C2 server (confidence level: 75%) | |
file47.94.91.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.37.190.172 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file196.251.117.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file196.251.117.41 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file39.106.152.200 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file156.227.233.153 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file188.166.236.93 | Sliver botnet C2 server (confidence level: 100%) | |
file172.94.96.144 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file75.69.164.4 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file44.251.164.0 | Unknown malware botnet C2 server (confidence level: 100%) | |
file157.230.34.254 | Havoc botnet C2 server (confidence level: 100%) | |
file95.142.45.249 | BianLian botnet C2 server (confidence level: 100%) | |
file150.158.46.102 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file121.36.62.154 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.53.115.217 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.181.219.238 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.94.247.165 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.174.88.61 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file107.174.88.61 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file72.155.88.31 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file209.137.201.20 | QakBot botnet C2 server (confidence level: 75%) | |
file51.15.193.108 | Havoc botnet C2 server (confidence level: 75%) | |
file51.211.213.23 | QakBot botnet C2 server (confidence level: 75%) | |
file67.61.43.148 | QakBot botnet C2 server (confidence level: 75%) | |
file70.31.125.48 | QakBot botnet C2 server (confidence level: 75%) | |
file95.211.43.236 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file95.182.101.66 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.56.6.7 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file106.52.239.89 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file95.215.204.85 | Remcos botnet C2 server (confidence level: 100%) | |
file185.149.24.141 | Remcos botnet C2 server (confidence level: 100%) | |
file155.133.26.179 | Remcos botnet C2 server (confidence level: 100%) | |
file23.227.203.244 | Sliver botnet C2 server (confidence level: 100%) | |
file167.99.244.140 | Unknown malware botnet C2 server (confidence level: 100%) | |
file41.36.84.42 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file179.43.186.224 | Havoc botnet C2 server (confidence level: 100%) | |
file216.144.227.103 | Havoc botnet C2 server (confidence level: 100%) | |
file94.158.245.135 | NetSupportManager RAT botnet C2 server (confidence level: 99%) | |
file104.223.120.202 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file107.149.192.54 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file107.149.192.57 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file120.27.235.78 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file45.88.91.254 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file154.22.5.243 | XWorm botnet C2 server (confidence level: 100%) | |
file89.10.178.51 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file182.253.58.75 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file23.146.184.117 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
file73.62.14.5 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file137.184.144.245 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file45.62.170.181 | Remcos botnet C2 server (confidence level: 100%) | |
file85.203.4.68 | XWorm botnet C2 server (confidence level: 100%) | |
file216.9.225.221 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file216.9.225.221 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file43.163.84.111 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file132.232.166.80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.198.132.213 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file164.68.120.30 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file34.176.213.31 | Unknown malware botnet C2 server (confidence level: 100%) | |
file81.43.20.0 | Havoc botnet C2 server (confidence level: 100%) | |
file194.59.30.239 | Havoc botnet C2 server (confidence level: 100%) | |
file15.168.13.231 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file94.74.106.10 | Chaos botnet C2 server (confidence level: 100%) | |
file196.251.117.166 | Bashlite botnet C2 server (confidence level: 100%) | |
file8.138.23.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file204.12.254.98 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file204.12.254.98 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file184.75.208.178 | Remcos botnet C2 server (confidence level: 100%) | |
file93.152.217.141 | Remcos botnet C2 server (confidence level: 100%) | |
file45.8.159.172 | Sliver botnet C2 server (confidence level: 100%) | |
file13.60.233.186 | Sliver botnet C2 server (confidence level: 100%) | |
file103.190.107.26 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file34.0.227.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file43.198.187.252 | Unknown malware botnet C2 server (confidence level: 100%) | |
file206.206.126.179 | DCRat botnet C2 server (confidence level: 100%) | |
file150.136.49.213 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file154.246.71.41 | QakBot botnet C2 server (confidence level: 75%) | |
file156.244.14.177 | Havoc botnet C2 server (confidence level: 75%) | |
file2.50.13.192 | QakBot botnet C2 server (confidence level: 75%) | |
file35.152.189.99 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
file52.143.134.94 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file92.116.89.198 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file156.245.12.129 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file182.16.78.242 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file104.223.120.202 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash27862 | Mirai botnet C2 server (confidence level: 100%) | |
hash27589 | Mirai botnet C2 server (confidence level: 100%) | |
hash29491 | Mirai botnet C2 server (confidence level: 100%) | |
hash21695 | Mirai botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9333 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash33221 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Ghost RAT botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash1337 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Hook botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash7777 | DCRat botnet C2 server (confidence level: 100%) | |
hash6697 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash18245 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash445 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash443 | Nimplant botnet C2 server (confidence level: 100%) | |
hash443 | Latrodectus botnet C2 server (confidence level: 90%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8088 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | ERMAC botnet C2 server (confidence level: 100%) | |
hash2380 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash2083 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1724 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8251 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8090 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1915 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 75%) | |
hash3033 | XWorm botnet C2 server (confidence level: 75%) | |
hash16465 | Remcos botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash636 | BianLian botnet C2 server (confidence level: 100%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash40056 | Havoc botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash2078 | QakBot botnet C2 server (confidence level: 75%) | |
hash55615 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2053 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash63513 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash1339 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 99%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash82 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2424 | XWorm botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash5000 | XWorm botnet C2 server (confidence level: 100%) | |
hash23029 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash8304 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9999 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2222 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash2086 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash8080 | Chaos botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2758 | Remcos botnet C2 server (confidence level: 100%) | |
hash80 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash80 | Sliver botnet C2 server (confidence level: 100%) | |
hash443 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash22 | DCRat botnet C2 server (confidence level: 100%) | |
hash19443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash22 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | Havoc botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) |
Threat ID: 685b407766faf0c1de3b5e9a
Added to database: 6/25/2025, 12:19:03 AM
Last enriched: 6/25/2025, 12:34:19 AM
Last updated: 8/17/2025, 8:26:47 AM
Views: 22
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.