ThreatFox IOCs for 2025-07-20
Severity: mediumType: malware
ThreatFox IOCs for 2025-07-20
AI Analysis
Technical Summary
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-07-20 by the ThreatFox MISP Feed. These IOCs are categorized under 'malware' and relate primarily to OSINT (Open Source Intelligence), payload delivery, and network activity. However, the data lacks specific details about the malware family, attack vectors, affected software versions, or technical exploit mechanisms. No known exploits in the wild or patches are available, and no Common Weakness Enumerations (CWEs) are listed. The threat level is indicated as medium (threatLevel: 2), with a moderate distribution score (3), suggesting some level of dissemination but not widespread. The absence of concrete technical indicators or payload descriptions limits the ability to deeply analyze the malware's behavior or propagation methods. The threat appears to be a collection or feed of IOCs intended for OSINT purposes, possibly to aid in detection and response rather than describing a new or active exploit. The lack of affected versions and patch information implies that this is more of an intelligence update rather than a direct vulnerability or exploit announcement.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of specific exploit details or active campaigns. However, the presence of malware-related IOCs in OSINT feeds can indicate emerging threats or reconnaissance activities that could precede targeted attacks. If these IOCs correspond to payload delivery mechanisms or network activity patterns, organizations might face risks such as unauthorized access, data exfiltration, or disruption of services if the malware is deployed successfully. The medium severity suggests a moderate risk level, which could translate into operational disruptions or confidentiality breaches if exploited. European entities relying on threat intelligence feeds like ThreatFox can benefit from early detection but must remain vigilant to evolving threats that may leverage these IOCs. The lack of patches or known exploits suggests that the threat is not currently being actively exploited at scale, reducing immediate risk but not eliminating future potential impact.
Mitigation Recommendations
European organizations should integrate these IOCs into their existing security monitoring and threat intelligence platforms to enhance detection capabilities. Specifically, security teams should: 1) Update intrusion detection and prevention systems (IDS/IPS) and endpoint detection and response (EDR) tools with the latest IOCs from ThreatFox to identify potential malicious payload delivery or network activity. 2) Conduct network traffic analysis focusing on anomalies that match the described network activity patterns associated with these IOCs. 3) Perform regular threat hunting exercises using the provided indicators to proactively identify any signs of compromise. 4) Enhance employee awareness and training on recognizing phishing or social engineering attempts that could serve as initial infection vectors for malware payload delivery. 5) Maintain robust backup and incident response plans to mitigate potential impacts if malware infection occurs. Since no patches are available, emphasis should be placed on detection, containment, and response rather than remediation of a specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- url: tcp://46.8.231.224/scripts/4thepool_miner.sh
- file: 154.216.157.235
- hash: 80
- file: 139.155.104.147
- hash: 443
- file: 43.139.152.50
- hash: 8888
- file: 91.236.116.139
- hash: 80
- file: 157.254.165.199
- hash: 888
- file: 83.222.191.90
- hash: 15647
- file: 172.105.121.80
- hash: 7443
- file: 45.38.20.87
- hash: 7443
- file: 35.244.127.70
- hash: 80
- file: 35.244.127.70
- hash: 443
- file: 93.198.188.234
- hash: 82
- file: 43.208.192.188
- hash: 48641
- file: 35.156.214.186
- hash: 102
- file: 54.78.57.178
- hash: 10260
- file: 18.175.149.170
- hash: 8000
- file: 18.175.149.170
- hash: 9200
- file: 18.175.149.170
- hash: 13000
- file: 167.71.200.206
- hash: 80
- file: 45.137.201.142
- hash: 4444
- file: 185.149.24.176
- hash: 22101
- file: 174.57.4.60
- hash: 4782
- domain: tip.emailsv.org
- file: 123.56.87.43
- hash: 8081
- file: 176.46.152.35
- hash: 443
- file: 104.168.64.199
- hash: 443
- file: 16.162.4.4
- hash: 8888
- file: 207.231.111.84
- hash: 80
- file: 172.111.248.130
- hash: 8808
- file: 206.123.145.241
- hash: 443
- file: 95.217.190.166
- hash: 5555
- file: 45.80.158.242
- hash: 2404
- file: 216.9.225.221
- hash: 14306
- file: 115.79.233.124
- hash: 6000
- file: 192.238.128.194
- hash: 8888
- file: 159.223.64.229
- hash: 80
- file: 51.112.47.23
- hash: 27034
- file: 16.62.240.47
- hash: 4839
- file: 54.168.191.225
- hash: 80
- file: 34.198.232.151
- hash: 443
- file: 133.18.166.250
- hash: 3456
- file: 59.110.21.45
- hash: 3333
- file: 162.245.189.81
- hash: 3333
- file: 20.5.136.50
- hash: 443
- file: 47.74.50.253
- hash: 3333
- file: 137.184.238.72
- hash: 443
- file: 137.184.238.72
- hash: 8443
- file: 34.234.176.204
- hash: 3333
- file: 110.232.90.73
- hash: 8443
- file: 193.161.193.99
- hash: 41990
- file: 174.57.4.60
- hash: 6606
- url: https://bornim.top/xoak
- file: 47.243.112.74
- hash: 8181
- url: http://196.251.66.32/hbts/top1miku.i586
- url: http://196.251.66.32/hbts/top1miku.x86_64
- domain: sworwdcp.top
- domain: tunenrnc.top
- domain: ultracpj.xyz
- domain: vegemuoe.top
- file: 47.103.109.70
- hash: 8000
- file: 115.190.151.227
- hash: 801
- file: 1.53.229.189
- hash: 4444
- file: 139.224.54.133
- hash: 9443
- file: 1.13.187.97
- hash: 4433
- file: 1.94.137.198
- hash: 9989
- file: 42.192.212.68
- hash: 443
- file: 151.241.129.49
- hash: 8444
- file: 119.45.1.34
- hash: 8888
- file: 56.228.12.2
- hash: 7443
- file: 207.180.213.79
- hash: 52037
- file: 3.96.126.19
- hash: 3306
- file: 34.222.124.155
- hash: 11112
- file: 3.67.64.87
- hash: 41795
- file: 185.195.236.9
- hash: 80
- file: 72.5.42.161
- hash: 3232
- file: 18.252.216.17
- hash: 443
- file: 18.252.251.213
- hash: 443
- file: 3.141.84.244
- hash: 443
- file: 71.85.182.105
- hash: 443
- file: 86.98.219.194
- hash: 443
- file: 167.234.235.198
- hash: 3333
- file: 123.60.191.231
- hash: 4545
- file: 101.42.157.172
- hash: 443
- file: 49.65.96.18
- hash: 9998
- file: 45.252.249.223
- hash: 31337
- file: 45.144.137.60
- hash: 31337
- file: 141.98.112.145
- hash: 54984
- file: 103.57.130.241
- hash: 54984
- file: 162.254.85.213
- hash: 8443
- file: 18.60.39.236
- hash: 636
- file: 125.26.15.209
- hash: 1177
- file: 120.157.55.0
- hash: 3001
- file: 115.79.233.124
- hash: 5001
- file: 31.128.207.216
- hash: 7777
- domain: domet.chanbaba.online
- file: 85.203.4.232
- hash: 22
- url: https://www.optionchain.dpdns.org
- url: https://tunenrnc.top/xodz
- url: https://ultracpj.xyz/apgk
- url: https://vegemuoe.top/xauy
- domain: 1328175548-4zksdftd97.ap-guangzhou.tencentscf.com
- file: 124.221.116.169
- hash: 80
- file: 216.250.107.151
- hash: 29109
- file: 2.59.133.24
- hash: 4782
- url: http://glgkorea.com/forum/viewtopic.php
- file: 101.126.17.8
- hash: 8888
- file: 43.160.252.15
- hash: 8888
- file: 196.251.69.242
- hash: 8888
- file: 119.161.100.86
- hash: 10001
- file: 176.46.152.3
- hash: 483
- url: http://195.62.49.187/providerpythonlowbigload.php
- url: https://leftmxfg.lol/atmn/api
- url: https://sworwdcp.top/aote
- url: https://t.me/ggbetrom
- file: 194.87.218.119
- hash: 1985
- file: 185.214.10.224
- hash: 5888
- domain: security.felaguueard.com
- domain: pewbicved.com
- file: 47.82.113.26
- hash: 6163
- url: https://cuwewki.shop/wqiz
- url: https://t.me/dfhsdhs6
- url: https://accepkw.shop/xlor
- file: 77.95.229.18
- hash: 54212
- file: 77.95.229.18
- hash: 7772
- file: 77.95.229.18
- hash: 8989
- file: 206.123.145.137
- hash: 523
- url: https://pavansmr.pics/akjt
- file: 103.77.241.145
- hash: 12121
- domain: cnc.netjssaytcpp.lat
- file: 185.26.120.11
- hash: 443
- domain: www.helpdeskglobal.site
- url: http://176.46.157.60/d8tr4u9k/index.php
- file: 138.124.183.163
- hash: 7000
- url: https://nowqx.xyz/taos
- domain: axiosapiexample.com
- url: https://t.me/amnzflowers
- domain: vueapiinsights.com
- file: 156.254.126.118
- hash: 45382
- file: 81.69.220.187
- hash: 10888
- file: 43.138.104.38
- hash: 60531
- file: 172.236.108.193
- hash: 443
- file: 86.54.42.73
- hash: 14829
- file: 102.117.162.135
- hash: 7443
- file: 80.78.25.217
- hash: 7443
- file: 103.77.241.146
- hash: 80
- file: 124.70.161.39
- hash: 10001
- file: 120.221.87.128
- hash: 10001
- file: 167.160.89.158
- hash: 10001
- file: 176.46.157.60
- hash: 80
- file: 83.222.190.38
- hash: 443
- url: http://132961cm.nyash.es/flowerdatalife.php
- file: 172.234.99.241
- hash: 80
- file: 137.220.153.90
- hash: 8880
- url: https://jaclwdc.top/ziur
- url: http://cl84177.tw1.ru/008672e2.php
- file: 136.243.250.35
- hash: 7771
- file: 196.251.118.54
- hash: 1603
- domain: research-trivia.gl.at.ply.gg
- file: 31.56.79.71
- hash: 7000
- domain: desktop-gvd3u7o-nj.at.remote.it
- domain: troia23.ddns.net
- domain: kocorex-46341.portmap.io
- domain: phone2347.freeddns.org
- file: 147.185.221.24
- hash: 4445
- domain: ultra64.duckdns.org
- file: 102.129.156.214
- hash: 38278
- file: 51.79.188.112
- hash: 19842
- file: 185.182.82.119
- hash: 37819
- domain: rnbmo-86-189-141-39.a.free.pinggy.link
- domain: rnriw-86-189-141-39.a.free.pinggy.link
- domain: luisnicaragua.zapto.org
- url: http://kings.jesseworld.eu/five/five/fre.php
- url: http://papgon10.ru/rozay/fred.php
- url: http://mulyadi.co.id/wp-includes/look/panel/five1/fre.php
- url: http://closaparent.com/broker/five/fre.php
- url: http://47.96.224.76:9999/llzk
- file: 196.251.118.54
- hash: 7705
- file: 137.220.153.22
- hash: 8880
- file: 193.111.117.146
- hash: 7000
- url: http://66.63.187.111/waaagh/index.php
- file: 147.185.221.30
- hash: 24959
- url: https://pandhnyk.top/zids
- file: 159.69.241.217
- hash: 8080
- file: 147.185.221.30
- hash: 13153
- file: 64.176.61.71
- hash: 80
- file: 119.45.11.145
- hash: 443
- file: 154.9.255.163
- hash: 443
- file: 172.94.126.28
- hash: 82
- file: 34.61.193.219
- hash: 443
- file: 45.38.20.87
- hash: 3000
- domain: carbonxiv.ooguy.com
- file: 115.79.233.124
- hash: 6001
- file: 43.207.83.12
- hash: 1224
- domain: willbayley.com
- file: 106.52.166.133
- hash: 443
- file: 66.63.187.111
- hash: 80
- file: 118.161.1.151
- hash: 443
- file: 86.54.42.73
- hash: 5432
- file: 91.108.189.131
- hash: 43
- file: 93.82.28.127
- hash: 8000
- url: https://t.me/diokiis
- file: 111.229.44.118
- hash: 4782
ThreatFox IOCs for 2025-07-20
Medium
Published: Sun Jul 20 2025 (07/20/2025, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2025-07-20
AI-Powered Analysis
AILast updated: 07/21/2025, 00:31:10 UTC
Technical Analysis
The provided information pertains to a set of Indicators of Compromise (IOCs) published on 2025-07-20 by the ThreatFox MISP Feed. These IOCs are categorized under 'malware' and relate primarily to OSINT (Open Source Intelligence), payload delivery, and network activity. However, the data lacks specific details about the malware family, attack vectors, affected software versions, or technical exploit mechanisms. No known exploits in the wild or patches are available, and no Common Weakness Enumerations (CWEs) are listed. The threat level is indicated as medium (threatLevel: 2), with a moderate distribution score (3), suggesting some level of dissemination but not widespread. The absence of concrete technical indicators or payload descriptions limits the ability to deeply analyze the malware's behavior or propagation methods. The threat appears to be a collection or feed of IOCs intended for OSINT purposes, possibly to aid in detection and response rather than describing a new or active exploit. The lack of affected versions and patch information implies that this is more of an intelligence update rather than a direct vulnerability or exploit announcement.
Potential Impact
For European organizations, the impact of this threat is currently limited due to the absence of specific exploit details or active campaigns. However, the presence of malware-related IOCs in OSINT feeds can indicate emerging threats or reconnaissance activities that could precede targeted attacks. If these IOCs correspond to payload delivery mechanisms or network activity patterns, organizations might face risks such as unauthorized access, data exfiltration, or disruption of services if the malware is deployed successfully. The medium severity suggests a moderate risk level, which could translate into operational disruptions or confidentiality breaches if exploited. European entities relying on threat intelligence feeds like ThreatFox can benefit from early detection but must remain vigilant to evolving threats that may leverage these IOCs. The lack of patches or known exploits suggests that the threat is not currently being actively exploited at scale, reducing immediate risk but not eliminating future potential impact.
Mitigation Recommendations
European organizations should integrate these IOCs into their existing security monitoring and threat intelligence platforms to enhance detection capabilities. Specifically, security teams should: 1) Update intrusion detection and prevention systems (IDS/IPS) and endpoint detection and response (EDR) tools with the latest IOCs from ThreatFox to identify potential malicious payload delivery or network activity. 2) Conduct network traffic analysis focusing on anomalies that match the described network activity patterns associated with these IOCs. 3) Perform regular threat hunting exercises using the provided indicators to proactively identify any signs of compromise. 4) Enhance employee awareness and training on recognizing phishing or social engineering attempts that could serve as initial infection vectors for malware payload delivery. 5) Maintain robust backup and incident response plans to mitigate potential impacts if malware infection occurs. Since no patches are available, emphasis should be placed on detection, containment, and response rather than remediation of a specific vulnerability.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- bd8f2e5e-e31b-4a45-8288-9c077394f737
- Original Timestamp
- 1753056186
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urltcp://46.8.231.224/scripts/4thepool_miner.sh | Unknown malware payload delivery URL (confidence level: 75%) | |
urlhttps://bornim.top/xoak | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://196.251.66.32/hbts/top1miku.i586 | Unknown malware payload delivery URL (confidence level: 75%) | |
urlhttp://196.251.66.32/hbts/top1miku.x86_64 | Unknown malware payload delivery URL (confidence level: 75%) | |
urlhttps://www.optionchain.dpdns.org | Vidar botnet C2 (confidence level: 75%) | |
urlhttps://tunenrnc.top/xodz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://ultracpj.xyz/apgk | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://vegemuoe.top/xauy | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://glgkorea.com/forum/viewtopic.php | Pony botnet C2 (confidence level: 100%) | |
urlhttp://195.62.49.187/providerpythonlowbigload.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://leftmxfg.lol/atmn/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://sworwdcp.top/aote | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://t.me/ggbetrom | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://cuwewki.shop/wqiz | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://t.me/dfhsdhs6 | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://accepkw.shop/xlor | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://pavansmr.pics/akjt | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://176.46.157.60/d8tr4u9k/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://nowqx.xyz/taos | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://t.me/amnzflowers | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://132961cm.nyash.es/flowerdatalife.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://jaclwdc.top/ziur | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://cl84177.tw1.ru/008672e2.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttp://kings.jesseworld.eu/five/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://papgon10.ru/rozay/fred.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://mulyadi.co.id/wp-includes/look/panel/five1/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://closaparent.com/broker/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://47.96.224.76:9999/llzk | Cobalt Strike botnet C2 (confidence level: 75%) | |
urlhttp://66.63.187.111/waaagh/index.php | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://pandhnyk.top/zids | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://t.me/diokiis | Lumma Stealer botnet C2 (confidence level: 75%) |
File
| Value | Description | Copy |
|---|---|---|
file154.216.157.235 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.155.104.147 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.139.152.50 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file91.236.116.139 | Matanbuchus botnet C2 server (confidence level: 100%) | |
file157.254.165.199 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file83.222.191.90 | SectopRAT botnet C2 server (confidence level: 100%) | |
file172.105.121.80 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.38.20.87 | Unknown malware botnet C2 server (confidence level: 100%) | |
file35.244.127.70 | Havoc botnet C2 server (confidence level: 100%) | |
file35.244.127.70 | Havoc botnet C2 server (confidence level: 100%) | |
file93.198.188.234 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file43.208.192.188 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file35.156.214.186 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file54.78.57.178 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.175.149.170 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.175.149.170 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.175.149.170 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file167.71.200.206 | MooBot botnet C2 server (confidence level: 100%) | |
file45.137.201.142 | XWorm botnet C2 server (confidence level: 100%) | |
file185.149.24.176 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file174.57.4.60 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file123.56.87.43 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file176.46.152.35 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file104.168.64.199 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file16.162.4.4 | Unknown malware botnet C2 server (confidence level: 100%) | |
file207.231.111.84 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file172.111.248.130 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file206.123.145.241 | Remcos botnet C2 server (confidence level: 100%) | |
file95.217.190.166 | Remcos botnet C2 server (confidence level: 100%) | |
file45.80.158.242 | Remcos botnet C2 server (confidence level: 100%) | |
file216.9.225.221 | Remcos botnet C2 server (confidence level: 100%) | |
file115.79.233.124 | Venom RAT botnet C2 server (confidence level: 100%) | |
file192.238.128.194 | Kaiji botnet C2 server (confidence level: 100%) | |
file159.223.64.229 | MooBot botnet C2 server (confidence level: 100%) | |
file51.112.47.23 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file16.62.240.47 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file54.168.191.225 | Brute Ratel C4 botnet C2 server (confidence level: 100%) | |
file34.198.232.151 | Unknown malware botnet C2 server (confidence level: 100%) | |
file133.18.166.250 | Unknown malware botnet C2 server (confidence level: 100%) | |
file59.110.21.45 | Unknown malware botnet C2 server (confidence level: 100%) | |
file162.245.189.81 | Unknown malware botnet C2 server (confidence level: 100%) | |
file20.5.136.50 | Unknown malware botnet C2 server (confidence level: 100%) | |
file47.74.50.253 | Unknown malware botnet C2 server (confidence level: 100%) | |
file137.184.238.72 | Unknown malware botnet C2 server (confidence level: 100%) | |
file137.184.238.72 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.234.176.204 | Unknown malware botnet C2 server (confidence level: 100%) | |
file110.232.90.73 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.161.193.99 | XWorm botnet C2 server (confidence level: 100%) | |
file174.57.4.60 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file47.243.112.74 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file47.103.109.70 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file115.190.151.227 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.53.229.189 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.224.54.133 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.13.187.97 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file1.94.137.198 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file42.192.212.68 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file151.241.129.49 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.45.1.34 | Unknown malware botnet C2 server (confidence level: 100%) | |
file56.228.12.2 | Unknown malware botnet C2 server (confidence level: 100%) | |
file207.180.213.79 | Havoc botnet C2 server (confidence level: 100%) | |
file3.96.126.19 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file34.222.124.155 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file3.67.64.87 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file185.195.236.9 | MooBot botnet C2 server (confidence level: 100%) | |
file72.5.42.161 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
file18.252.216.17 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file18.252.251.213 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file3.141.84.244 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file71.85.182.105 | QakBot botnet C2 server (confidence level: 75%) | |
file86.98.219.194 | QakBot botnet C2 server (confidence level: 75%) | |
file167.234.235.198 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file123.60.191.231 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file101.42.157.172 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file49.65.96.18 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
file45.252.249.223 | Sliver botnet C2 server (confidence level: 50%) | |
file45.144.137.60 | Sliver botnet C2 server (confidence level: 50%) | |
file141.98.112.145 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
file103.57.130.241 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
file162.254.85.213 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
file18.60.39.236 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
file125.26.15.209 | NjRAT botnet C2 server (confidence level: 50%) | |
file120.157.55.0 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
file115.79.233.124 | Venom RAT botnet C2 server (confidence level: 50%) | |
file31.128.207.216 | Unknown malware botnet C2 server (confidence level: 50%) | |
file85.203.4.232 | XWorm botnet C2 server (confidence level: 75%) | |
file124.221.116.169 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file216.250.107.151 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file2.59.133.24 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file101.126.17.8 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.160.252.15 | Unknown malware botnet C2 server (confidence level: 100%) | |
file196.251.69.242 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file119.161.100.86 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file176.46.152.3 | Tofsee botnet C2 server (confidence level: 100%) | |
file194.87.218.119 | XWorm botnet C2 server (confidence level: 100%) | |
file185.214.10.224 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file47.82.113.26 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file77.95.229.18 | Remcos botnet C2 server (confidence level: 75%) | |
file77.95.229.18 | Remcos botnet C2 server (confidence level: 75%) | |
file77.95.229.18 | Remcos botnet C2 server (confidence level: 75%) | |
file206.123.145.137 | Mirai botnet C2 server (confidence level: 75%) | |
file103.77.241.145 | Mirai botnet C2 server (confidence level: 75%) | |
file185.26.120.11 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file138.124.183.163 | XWorm botnet C2 server (confidence level: 100%) | |
file156.254.126.118 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file81.69.220.187 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.138.104.38 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.236.108.193 | Sliver botnet C2 server (confidence level: 100%) | |
file86.54.42.73 | Sliver botnet C2 server (confidence level: 100%) | |
file102.117.162.135 | Unknown malware botnet C2 server (confidence level: 100%) | |
file80.78.25.217 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.77.241.146 | Bashlite botnet C2 server (confidence level: 100%) | |
file124.70.161.39 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file120.221.87.128 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file167.160.89.158 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file176.46.157.60 | Amadey botnet C2 server (confidence level: 50%) | |
file83.222.190.38 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file172.234.99.241 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file137.220.153.90 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file136.243.250.35 | NjRAT botnet C2 server (confidence level: 100%) | |
file196.251.118.54 | XWorm botnet C2 server (confidence level: 100%) | |
file31.56.79.71 | XWorm botnet C2 server (confidence level: 100%) | |
file147.185.221.24 | Remcos botnet C2 server (confidence level: 100%) | |
file102.129.156.214 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file51.79.188.112 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file185.182.82.119 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file196.251.118.54 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file137.220.153.22 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file193.111.117.146 | XWorm botnet C2 server (confidence level: 100%) | |
file147.185.221.30 | XWorm botnet C2 server (confidence level: 100%) | |
file159.69.241.217 | NjRAT botnet C2 server (confidence level: 100%) | |
file147.185.221.30 | XWorm botnet C2 server (confidence level: 100%) | |
file64.176.61.71 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file119.45.11.145 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file154.9.255.163 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file172.94.126.28 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file34.61.193.219 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.38.20.87 | Unknown malware botnet C2 server (confidence level: 100%) | |
file115.79.233.124 | Venom RAT botnet C2 server (confidence level: 100%) | |
file43.207.83.12 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file106.52.166.133 | Unknown malware botnet C2 server (confidence level: 100%) | |
file66.63.187.111 | Amadey botnet C2 server (confidence level: 50%) | |
file118.161.1.151 | QakBot botnet C2 server (confidence level: 75%) | |
file86.54.42.73 | Sliver botnet C2 server (confidence level: 75%) | |
file91.108.189.131 | Sliver botnet C2 server (confidence level: 75%) | |
file93.82.28.127 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
file111.229.44.118 | Quasar RAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Matanbuchus botnet C2 server (confidence level: 100%) | |
hash888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash15647 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Havoc botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash82 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash48641 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash102 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash10260 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash8000 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash9200 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash13000 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash4444 | XWorm botnet C2 server (confidence level: 100%) | |
hash22101 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8081 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Remcos botnet C2 server (confidence level: 100%) | |
hash5555 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash14306 | Remcos botnet C2 server (confidence level: 100%) | |
hash6000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash8888 | Kaiji botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash27034 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4839 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | Brute Ratel C4 botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3456 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash41990 | XWorm botnet C2 server (confidence level: 100%) | |
hash6606 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8181 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash8000 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash801 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4433 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9989 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash52037 | Havoc botnet C2 server (confidence level: 100%) | |
hash3306 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash11112 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash41795 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash3232 | Rhadamanthys botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash3333 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash4545 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash9998 | Cobalt Strike botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash31337 | Sliver botnet C2 server (confidence level: 50%) | |
hash54984 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
hash54984 | Nanocore RAT botnet C2 server (confidence level: 50%) | |
hash8443 | Brute Ratel C4 botnet C2 server (confidence level: 50%) | |
hash636 | NetSupportManager RAT botnet C2 server (confidence level: 50%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 50%) | |
hash3001 | Xtreme RAT botnet C2 server (confidence level: 50%) | |
hash5001 | Venom RAT botnet C2 server (confidence level: 50%) | |
hash7777 | Unknown malware botnet C2 server (confidence level: 50%) | |
hash22 | XWorm botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash29109 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash483 | Tofsee botnet C2 server (confidence level: 100%) | |
hash1985 | XWorm botnet C2 server (confidence level: 100%) | |
hash5888 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash6163 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash54212 | Remcos botnet C2 server (confidence level: 75%) | |
hash7772 | Remcos botnet C2 server (confidence level: 75%) | |
hash8989 | Remcos botnet C2 server (confidence level: 75%) | |
hash523 | Mirai botnet C2 server (confidence level: 75%) | |
hash12121 | Mirai botnet C2 server (confidence level: 75%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash45382 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash10888 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash60531 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash14829 | Sliver botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash80 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash8880 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash7771 | NjRAT botnet C2 server (confidence level: 100%) | |
hash1603 | XWorm botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash4445 | Remcos botnet C2 server (confidence level: 100%) | |
hash38278 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash19842 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash37819 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash7705 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash8880 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash24959 | XWorm botnet C2 server (confidence level: 100%) | |
hash8080 | NjRAT botnet C2 server (confidence level: 100%) | |
hash13153 | XWorm botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash82 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash6001 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash1224 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Amadey botnet C2 server (confidence level: 50%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash5432 | Sliver botnet C2 server (confidence level: 75%) | |
hash43 | Sliver botnet C2 server (confidence level: 75%) | |
hash8000 | Eye Pyramid botnet C2 server (confidence level: 75%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domaintip.emailsv.org | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainsworwdcp.top | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintunenrnc.top | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainultracpj.xyz | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvegemuoe.top | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaindomet.chanbaba.online | Mirai botnet C2 domain (confidence level: 50%) | |
domain1328175548-4zksdftd97.ap-guangzhou.tencentscf.com | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainsecurity.felaguueard.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainpewbicved.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domaincnc.netjssaytcpp.lat | Mirai botnet C2 domain (confidence level: 100%) | |
domainwww.helpdeskglobal.site | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domainaxiosapiexample.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainvueapiinsights.com | FAKEUPDATES payload delivery domain (confidence level: 100%) | |
domainresearch-trivia.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domaindesktop-gvd3u7o-nj.at.remote.it | XWorm botnet C2 domain (confidence level: 100%) | |
domaintroia23.ddns.net | XWorm botnet C2 domain (confidence level: 100%) | |
domainkocorex-46341.portmap.io | XWorm botnet C2 domain (confidence level: 100%) | |
domainphone2347.freeddns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainultra64.duckdns.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainrnbmo-86-189-141-39.a.free.pinggy.link | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domainrnriw-86-189-141-39.a.free.pinggy.link | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domainluisnicaragua.zapto.org | CyberGate botnet C2 domain (confidence level: 100%) | |
domaincarbonxiv.ooguy.com | Havoc botnet C2 domain (confidence level: 100%) | |
domainwillbayley.com | Unknown malware botnet C2 domain (confidence level: 100%) |
Threat ID: 687d86bda83201eaac055fbb
Added to database: 7/21/2025, 12:15:57 AM
Last enriched: 7/21/2025, 12:31:10 AM
Last updated: 7/25/2025, 1:04:14 AM
Views: 15
Related Threats
New Advanced Stealer (SHUYAL) Targets Credentials Across 19 Popular Browsers
MediumMalwareFri Jul 25 2025
Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware
MediumMalwareFri Jul 25 2025
Koske, a new AI-Generated Linux malware appears in the threat landscape
MediumMalwareFri Jul 25 2025
ThreatFox IOCs for 2025-07-24
MediumMalwareFri Jul 25 2025
Coyote malware is first-ever malware abusing Windows UI Automation
MediumMalwareThu Jul 24 2025
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.