Reconnecting to live updates…
ThreatFox IOCs for 2025-11-19
Severity: mediumType: malware
ThreatFox IOCs for 2025-11-19
AI Analysis
Technical Summary
The ThreatFox IOC entry dated November 19, 2025, describes a malware-related threat primarily associated with OSINT (Open Source Intelligence) activities, network activity, and payload delivery mechanisms. The report does not specify affected software versions or particular products, indicating the threat may be generic or broadly applicable rather than targeting a specific vulnerability or platform. The absence of CWE identifiers and patch information suggests this is not a known software vulnerability but rather a malware campaign or toolset that leverages network-based payload delivery to achieve its objectives. The threat level is rated medium, with no known exploits actively observed in the wild, implying either a nascent threat or one with limited distribution and impact so far. The technical details provided are minimal, with a threat level of 2 (on an unspecified scale), analysis level 1, and distribution level 3, which may indicate moderate dissemination but limited analytical depth. The lack of concrete indicators of compromise (IOCs) in the entry restricts the ability to perform detailed forensic or detection rule development. The classification under OSINT and network activity suggests the malware may be used for reconnaissance or data gathering, possibly to support further targeted attacks or espionage. Payload delivery categorization indicates the malware includes mechanisms to deliver malicious code or commands over the network, which could be used to compromise systems or exfiltrate data. Overall, the entry represents a medium-level threat that requires vigilance but does not currently indicate a critical or widespread campaign.
Potential Impact
For European organizations, the threat poses a moderate risk primarily to confidentiality and integrity due to its OSINT and payload delivery nature. Organizations heavily reliant on open-source intelligence tools or those with exposed network services may be targeted for reconnaissance or initial compromise. The lack of known exploits and patches suggests the threat may exploit operational security weaknesses or social engineering rather than software vulnerabilities. Potential impacts include unauthorized data collection, network infiltration, and subsequent payload execution leading to data exfiltration or lateral movement within networks. The medium severity rating implies that while the threat is not immediately critical, it could escalate if leveraged by more capable adversaries or combined with other attack vectors. Disruption of availability is less likely based on current information, but indirect effects such as operational delays or incident response costs could be significant. European sectors with high-value intelligence or critical infrastructure may face increased targeting, necessitating enhanced monitoring and threat intelligence sharing.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice by: 1) Enhancing network traffic monitoring with a focus on detecting unusual payload delivery patterns and OSINT-related reconnaissance activities. 2) Integrating ThreatFox and other OSINT feeds into Security Information and Event Management (SIEM) systems to improve detection of emerging IOCs once available. 3) Conducting regular threat hunting exercises focused on network activity anomalies and potential payload delivery channels. 4) Restricting and segmenting network access to limit lateral movement opportunities for malware payloads. 5) Training security teams to recognize early signs of OSINT-based reconnaissance and payload delivery tactics. 6) Collaborating with national Computer Emergency Response Teams (CERTs) and sharing intelligence to stay updated on evolving threats. 7) Reviewing and hardening configurations of OSINT tools and network services to reduce exposure. 8) Employing endpoint detection and response (EDR) solutions capable of identifying suspicious payload execution behaviors. These steps will help mitigate the risk posed by this medium-level threat and improve overall resilience against similar malware campaigns.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden
Indicators of Compromise
- url: http://202.155.141.62:8888/supershell/login/
- file: 202.155.141.62
- hash: 8888
- file: 45.83.207.191
- hash: 3778
- file: 154.6.197.36
- hash: 1999
- domain: vcc-library.uk
- domain: digital-marketing-pro-365.com
- domain: wee-wee-gachi-master.com
- url: https://digital-marketing-pro-365.com/api/upload
- url: https://digital-marketing-pro-365.com/api/tasks
- domain: newtry.app
- file: 213.209.143.62
- hash: 56999
- file: 35.192.163.54
- hash: 7443
- file: 85.9.200.153
- hash: 443
- file: 168.245.200.119
- hash: 3790
- domain: weald.0akstream.ru
- domain: harbr.deepv0yage.ru
- domain: gleem.deepv0yage.ru
- domain: trakk.deepv0yage.ru
- domain: wolke.deepv0yage.ru
- domain: pfed.deepv0yage.ru
- domain: drizz.rainv1sta.ru
- domain: medow.rainv1sta.ru
- domain: gusty.rainv1sta.ru
- domain: vally.s0ftvale.ru
- domain: wylde.s0ftvale.ru
- file: 77.110.114.65
- hash: 7075
- domain: breez.s0ftvale.ru
- url: http://4.221.211.80:8888/supershell/login/
- file: 144.76.96.36
- hash: 7705
- domain: silem.s0ftvale.ru
- domain: foggy.mistytrai1.ru
- domain: pfth.mistytrai1.ru
- domain: bydfiexchange.live
- domain: turne.mistytrai1.ru
- domain: gloww.brightden.ru
- domain: dawne.brightden.ru
- domain: brisk.brightden.ru
- domain: sumer.brightden.ru
- domain: ambr.firer1dge.ru
- domain: brige.firer1dge.ru
- domain: cindr.firer1dge.ru
- domain: flair.firer1dge.ru
- domain: argent.s1lvergate.ru
- file: 37.221.93.81
- hash: 3778
- domain: weald.s1lvergate.ru
- domain: bruke.s1lvergate.ru
- file: 117.72.195.22
- hash: 443
- file: 8.219.134.47
- hash: 80
- file: 45.74.15.133
- hash: 2405
- file: 83.136.210.210
- hash: 2404
- file: 87.251.69.96
- hash: 8000
- file: 54.219.247.190
- hash: 17018
- file: 172.86.113.235
- hash: 9000
- file: 172.86.113.240
- hash: 9000
- file: 109.71.245.105
- hash: 443
- file: 77.110.102.196
- hash: 45051
- file: 185.72.199.82
- hash: 7000
- file: 23.27.169.36
- hash: 8848
- file: 45.64.113.97
- hash: 443
- file: 72.60.70.33
- hash: 3333
- domain: wolkr.2tannenpfad.ru
- domain: birhc.2tannenpfad.ru
- domain: gleem.2tannenpfad.ru
- domain: rauch.2tannenpfad.ru
- domain: stern.aurora1hain.ru
- domain: moos.aurora1hain.ru
- url: http://14.128.53.148:8888/supershell/login/
- domain: glowe.aurora1hain.ru
- domain: fjord.kieselufer8.ru
- domain: falke.kieselufer8.ru
- hash: 0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35
- url: https://playgoogle-gpttrade.com/gpt%20trade.apk
- domain: timeserver.uasecurity.org
- hash: 918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe
- domain: aptabase.fud2026.xyz
- hash: 7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917
- url: http://95.164.53.100/private/yarsap_80541.php
- url: http://95.164.53.100:8080/
- domain: kleea.kieselufer8.ru
- domain: udefined30.domainofhonour40.xyz
- domain: kupaoquan.com
- domain: weiss.kieselufer8.ru
- file: 107.173.227.99
- hash: 2404
- domain: huckypet.ydns.eu
- domain: huckypet2.ydns.eu
- url: http://185.196.10.188
- url: http://45.159.189.140
- domain: syonr-23784.portmap.io
- domain: interest-weather.gl.at.ply.gg
- domain: parties-trance.gl.at.ply.gg
- domain: dune.kieselufer8.ru
- url: https://178.16.54.175/fc98bed393364b52.php
- url: https://www.remittances.oemsupport.co.za/
- domain: cdn.xoilac86s.cc
- domain: gatex.www.moroccancam.com
- domain: static.xoilac86s.cc
- domain: xoilacv.ac
- domain: consultaprocesosramajudicialgov.run.place
- domain: bot.sinestreacute.fun
- url: http://rghirgsrfzjjfsrzj.ru/
- url: http://rghirgsrfzjjfsrzjr.su/
- url: http://rghirgsrogddhjtdj.ru/
- url: http://rghirgsrogddhjtdjr.su/
- url: http://rghirgsrogrefsesg.ru/
- url: http://rghirgsrogrefsesgr.su/
- url: http://rghirgsrogrhdthsr.ru/
- url: http://rghirgsrogrhdthsrr.su/
- url: http://rghirgsrogrsfsegh.ru/
- url: http://rghirgsrogrsfseghr.su/
- url: http://rghirgsrogrsfzjfs.ru/
- url: http://rghirgsrogrsfzjfsr.su/
- url: http://rghirgsrogrshggir.ru/
- url: http://rghirgsrogrshggirr.su/
- url: http://rghirgsrogrshghsh.ru/
- url: http://rghirgsrogrshghshr.su/
- url: http://rghirgsrogrstjgrr.ru/
- url: http://rghirgsrogrstjgrrr.su/
- url: http://rghirgsrsrgsreidg.ru/
- url: http://rghirgsrsrgsreidgr.su/
- domain: rghirgsrfzjjfsrzj.ru
- domain: rghirgsrfzjjfsrzjr.su
- domain: rghirgsrogddhjtdj.ru
- domain: rghirgsrogddhjtdjr.su
- domain: rghirgsrogrefsesg.ru
- domain: rghirgsrogrefsesgr.su
- domain: rghirgsrogrhdthsr.ru
- domain: rghirgsrogrhdthsrr.su
- domain: rghirgsrogrsfsegh.ru
- domain: rghirgsrogrsfseghr.su
- domain: rghirgsrogrsfzjfsr.su
- domain: rghirgsrogrshggirr.su
- domain: rghirgsrogrshghsh.ru
- domain: rghirgsrogrshghshr.su
- domain: rghirgsrogrstjgrr.ru
- domain: rghirgsrogrstjgrrr.su
- domain: rghirgsrsrgsreidg.ru
- domain: rghirgsrsrgsreidgr.su
- domain: milogviolo.ddns.net
- domain: thales3033.com
- domain: submit-offered.gl.at.ply.gg
- domain: take-fragrances.gl.at.ply.gg
- domain: eis.nebulaquelle3.ru
- domain: wolfe.nebulaquelle3.ru
- domain: licht.nebulaquelle3.ru
- domain: ufer.spruce5moor.ru
- file: 23.248.214.26
- hash: 6781
- file: 47.98.129.151
- hash: 65530
- file: 156.234.94.204
- hash: 3184
- file: 110.41.3.12
- hash: 8088
- file: 178.16.52.138
- hash: 443
- file: 158.94.209.192
- hash: 443
- file: 140.228.29.75
- hash: 2404
- file: 45.145.42.138
- hash: 2404
- file: 47.98.215.228
- hash: 8888
- file: 185.177.239.95
- hash: 8089
- file: 51.94.189.33
- hash: 5060
- file: 51.94.189.33
- hash: 52260
- url: https://sol.clashofmaps.vip/
- url: https://sol.mummyhildasrice.com/
- domain: sol.clashofmaps.vip
- domain: sol.mummyhildasrice.com
- domain: geist.spruce5moor.ru
- url: https://arkanix.pw/api/session/create
- url: https://arkanix.pw/delivery
- url: https://arkanix.pw/api/discord-injection/template
- domain: sterm.echo6fern.ru
- file: 185.234.75.84
- hash: 6667
- file: 1.161.69.16
- hash: 443
- domain: brise.echo6fern.ru
- file: 158.247.237.29
- hash: 8080
- file: 8.132.227.59
- hash: 4506
- domain: tal.echo6fern.ru
- file: 223.26.62.216
- hash: 5566
- file: 121.127.233.109
- hash: 66
- domain: glade.hollow7ridge.ru
- file: 194.68.44.13
- hash: 443
- domain: glint.basaltwisp9.ru
- file: 43.140.35.156
- hash: 80
- file: 192.159.99.47
- hash: 3512
- file: 5.255.105.69
- hash: 48996
- domain: rauch.nebulaquelle3.ru
- domain: vapr.basaltwisp9.ru
- domain: ember.basaltwisp9.ru
- file: 94.228.169.227
- hash: 5122
- domain: brutalinfgonzasochi.com
- domain: ardotcharleybuking.com
- domain: quarz.basaltwisp9.ru
- domain: rune.spruce5moor.ru
- domain: korn.echo6fern.ru
- domain: weald.echo6fern.ru
- file: 79.137.248.188
- hash: 7099
- domain: drb.amin0mer3ges.ru
- domain: grove.hollow7ridge.ru
- domain: klif.hollow7ridge.ru
- file: 216.126.239.141
- hash: 80
- file: 47.98.254.140
- hash: 10443
- file: 66.154.127.129
- hash: 80
- file: 45.156.87.159
- hash: 8080
- file: 103.103.46.39
- hash: 7443
- file: 83.216.113.194
- hash: 8443
- file: 185.95.165.37
- hash: 4848
- file: 109.74.144.151
- hash: 8080
- file: 23.22.49.187
- hash: 443
- file: 2.59.156.227
- hash: 92
- file: 193.233.19.9
- hash: 3333
- file: 8.131.103.16
- hash: 81
- domain: vale.amin0mer3ges.ru
- domain: yp.amin0mer3ges.ru
- domain: ha.amin0mer3ges.ru
- domain: xq9.diab4uette.ru
- domain: delta.diab4uette.ru
- domain: i9.diab4uette.ru
- domain: godabeg.duckdns.org
- file: 178.173.234.156
- hash: 7374
- domain: navox.duckdns.org
- file: 203.86.233.121
- hash: 1912
- domain: oilmoney.duckdns.org
- domain: godwilling.duckdns.org
- domain: wealthyme.ddns.net
- domain: yq9g.diab4uette.ru
- file: 18.185.89.255
- hash: 18100
- file: 209.200.246.43
- hash: 1912
- domain: wn.n0v0se1prew.ru
- file: 107.175.246.23
- hash: 3650
- domain: alpha3.n0v0se1prew.ru
- domain: core.n0v0se1prew.ru
- domain: loom.n0v0se1prew.ru
- domain: 5bwm.galy8phony.ru
- domain: anchor.galy8phony.ru
- file: 101.37.100.133
- hash: 443
- file: 104.160.9.139
- hash: 443
- domain: yl56b.galy8phony.ru
- file: 145.223.69.191
- hash: 443
- file: 185.180.221.8
- hash: 443
- file: 47.242.129.79
- hash: 12096
- file: 84.32.10.28
- hash: 4444
- domain: echo.galy8phony.ru
- domain: blink8.brahtr0phy.ru
- url: https://46.62.245.61/
- url: https://95.217.246.10/
- url: https://5.75.216.214/
- url: https://91.98.235.73/
- url: https://91.99.193.141/
- url: https://95.216.180.226/
- url: https://116.202.176.212/
- url: https://49.13.39.18/
- url: https://135.181.41.44/
- url: https://fra.nigeriaafricatime.com/
- domain: fra.nigeriaafricatime.com
- file: 46.62.245.61
- hash: 443
- file: 95.217.246.10
- hash: 443
- file: 5.75.216.214
- hash: 443
- file: 46.62.240.209
- hash: 443
- file: 91.98.235.73
- hash: 443
- file: 91.99.193.141
- hash: 443
- file: 95.216.180.226
- hash: 443
- file: 116.202.176.212
- hash: 443
- file: 49.13.39.18
- hash: 443
- file: 135.181.41.44
- hash: 443
- domain: flux.brahtr0phy.ru
- domain: l7ks5.brahtr0phy.ru
- domain: wave6.brahtr0phy.ru
- file: 46.247.108.59
- hash: 5888
- url: http://stickvpn.com/get.php?oid=ad9bc13f7f50318a1e7d6f8f95b7f479
- url: http://apple-service.bet/get.php?oid=ad9bc13f7f50318a1e7d6f8f95b7f479
- domain: trace.nob0dy5yabky.ru
- domain: jta2v.nob0dy5yabky.ru
- domain: q5z.nob0dy5yabky.ru
- domain: jcw.nob0dy5yabky.ru
- domain: vivid8.kalmykvic0te.ru
- domain: ww8.kalmykvic0te.ru
- domain: 5f.kalmykvic0te.ru
- url: https://koleporter.com/propagation/yup.js
- domain: koleporter.com
- url: https://koleporter.com/propagation/propagate.php
- url: https://koleporter.com/propagation/png.js
- url: https://possiblcix.com/meta
- url: https://eco-technic.com/sdjkkxx.zip
- file: 5.252.177.120
- hash: 443
- url: http://77.90.185.45/
- url: http://185.173.38.8:8080/
- domain: kjh.servebeer.com
- domain: genbloke.mywire.org
- domain: winwin24.mywire.org
- domain: politics-tower.gl.at.ply.gg
- domain: nova.kalmykvic0te.ru
- domain: lr9kw.c0rkpr0tect.ru
- url: https://resusct.qpon/api
- domain: setforsurerealz.duckdns.org
- domain: blindersxorrect.duckdns.org
- domain: grasshopper3030goals.duckdns.org
- file: 172.245.112.203
- hash: 6790
- domain: resusct.qpon
- domain: 34m37.c0rkpr0tect.ru
- domain: ynk.c0rkpr0tect.ru
- domain: beacon.c0rkpr0tect.ru
- domain: spark3.primurib1er.ru
- file: 8.155.161.181
- hash: 8099
- file: 123.60.60.119
- hash: 4444
- file: 139.59.182.58
- hash: 443
- file: 20.218.226.85
- hash: 8080
- file: 34.9.142.238
- hash: 7443
- file: 143.110.187.124
- hash: 8089
- file: 75.174.70.217
- hash: 80
- file: 212.11.64.30
- hash: 591
- file: 79.241.103.65
- hash: 82
- file: 18.227.26.237
- hash: 443
- file: 120.27.206.92
- hash: 6443
- file: 196.65.214.27
- hash: 2222
- file: 18.205.21.130
- hash: 6004
- file: 38.242.151.91
- hash: 8080
- domain: vrxl3.primurib1er.ru
- domain: verify-connection.sbs
- url: https://verify-connection.sbs
- url: https://helpforyourdepression.com/1.wav
- domain: rdweb.csmanay.com
- domain: sxwajnextcloud.csmanay.com
- url: https://sxwajnextcloud.csmanay.com
- url: https://rdweb.csmanay.com
- domain: store.csmanay.com
- url: https://store.csmanay.com
- domain: protection-hub.cfd
- url: https://protection-hub.cfd
- domain: flipgg.sbs
- url: https://flipgg.sbs
- domain: rift.primurib1er.ru
- domain: app-sanctum.top
- url: https://app-sanctum.top
- domain: axlom-app.cfd
- url: https://steamcommunity.com/profiles/76561198767911792
- url: https://axlom-app.cfd
- domain: app-marginfi.sbs
- url: https://app-marginfi.sbs
- url: https://servidorunico.com/config/token.txt
- domain: r7mc8.primurib1er.ru
- domain: app-everstake.cfd
- url: https://app-everstake.cfd
- domain: transition-gate.help
- url: https://transition-gate.help
- domain: wolke.immigrant5p.ru
- file: 95.164.123.63
- hash: 443
- file: 91.214.78.137
- hash: 443
- file: 95.164.53.17
- hash: 443
- file: 20.6.131.45
- hash: 443
- file: 107.148.50.75
- hash: 80
- file: 104.194.153.128
- hash: 7000
- file: 212.11.64.30
- hash: 8080
- domain: glade.immigrant5p.ru
- domain: rune.immigrant5p.ru
- domain: moor.immigrant5p.ru
- domain: geist.grin5cra7ers.ru
- url: https://gjt.clashofmaps.vip/
- url: https://gjt.mummyhildasrice.com/
- domain: gjt.clashofmaps.vip
- domain: gjt.mummyhildasrice.com
- domain: ufer.grin5cra7ers.ru
- domain: klee.grin5cra7ers.ru
- domain: stern.fo0operate1.ru
- domain: weald.fo0operate1.ru
- domain: falke.fo0operate1.ru
- domain: tau.fo0operate1.ru
- url: http://68.210.136.253:8888/supershell/login/
- file: 103.45.233.213
- hash: 7000
- url: http://nudump.com
- url: http://91.211.251.106
- domain: dorn.fo0operate1.ru
- domain: birch.cou10sheaf.ru
- domain: hain.cou10sheaf.ru
- domain: licht.cou10sheaf.ru
- file: 102.37.156.171
- hash: 445
- file: 121.209.145.42
- hash: 2222
- domain: sturm.payc0medy.ru
- file: 186.212.28.246
- hash: 8081
- file: 34.172.85.181
- hash: 7443
- file: 47.237.171.208
- hash: 8080
- file: 77.49.179.35
- hash: 995
- file: 98.87.114.152
- hash: 443
- domain: pfad.payc0medy.ru
- domain: threadproperty.xyz
- domain: brise.payc0medy.ru
- url: http://198.199.75.154/set.php
- url: https://ukhorizons.com/4e5e.js
- domain: ukhorizons.com
- url: https://ukhorizons.com/js.php
- url: http://69.67.172.194:6655/meta
- domain: wald.payc0medy.ru
- domain: adler.capi1aryhold.ru
- domain: moos.capi1aryhold.ru
- domain: harz.capi1aryhold.ru
- domain: gleis.capi1aryhold.ru
- file: 124.70.39.137
- hash: 443
- file: 91.92.243.20
- hash: 80
- file: 156.234.216.171
- hash: 6781
- file: 117.72.206.244
- hash: 80
- file: 47.84.30.113
- hash: 80
- file: 178.16.55.10
- hash: 443
- file: 144.172.106.140
- hash: 8080
- file: 34.135.61.121
- hash: 8888
- file: 44.201.144.100
- hash: 7443
- file: 64.176.179.199
- hash: 3000
- file: 45.61.157.22
- hash: 443
- file: 144.31.221.154
- hash: 8000
- domain: tal.capi1aryhold.ru
- domain: rauch.f1rst5rup.ru
- url: https://demo.guetteinsurance.com/revised/contract/teamsfinal/teams/windows/invite.php
- url: https://solardairy.com/excel/windows/invite.php
- url: https://us03zoomwebjoin.com/windows/invite.php
- url: https://strivora.digital/d/windows/invite.php
- url: https://revised-doc.com/excel/now/windows/invite.php
- domain: fjord.f1rst5rup.ru
- file: 206.238.196.220
- hash: 8083
- file: 198.46.173.11
- hash: 62520
- domain: korn.f1rst5rup.ru
- file: 98.142.247.134
- hash: 1912
- domain: wolfe.guan0mesca.ru
- domain: eiche.guan0mesca.ru
- domain: bach.guan0mesca.ru
- domain: grat.guan0mesca.ru
- url: https://www.hotelthilanka.com/
- domain: weiss.ve1vetc0ves.ru
- domain: falx.ve1vetc0ves.ru
- domain: cloud.ve1vetc0ves.ru
- domain: kamm.ve1vetc0ves.ru
- domain: rill.ve1vetc0ves.ru
- domain: wi1nd.dr0gaguaran.ru
- domain: ba3ch.dr0gaguaran.ru
- domain: pf4ad.dr0gaguaran.ru
- domain: mo0or.dr0gaguaran.ru
- domain: ha2fen.bil1sun8en.ru
- domain: u9fer.bil1sun8en.ru
- domain: st1ern.bil1sun8en.ru
- domain: wal3d.deane4y5not.ru
- domain: gl0ow.deane4y5not.ru
- domain: mi5st.deane4y5not.ru
- domain: kra2ut.deane4y5not.ru
ThreatFox IOCs for 2025-11-19
0
MediumPublished: Wed Nov 19 2025 (11/19/2025, 00:00:00 UTC)
Source: ThreatFox MISP Feed
Vendor/Project: type
Product: osint
Description
ThreatFox IOCs for 2025-11-19
AI-Powered Analysis
AILast updated: 11/20/2025, 00:17:36 UTC
Technical Analysis
The ThreatFox IOC entry dated November 19, 2025, describes a malware-related threat primarily associated with OSINT (Open Source Intelligence) activities, network activity, and payload delivery mechanisms. The report does not specify affected software versions or particular products, indicating the threat may be generic or broadly applicable rather than targeting a specific vulnerability or platform. The absence of CWE identifiers and patch information suggests this is not a known software vulnerability but rather a malware campaign or toolset that leverages network-based payload delivery to achieve its objectives. The threat level is rated medium, with no known exploits actively observed in the wild, implying either a nascent threat or one with limited distribution and impact so far. The technical details provided are minimal, with a threat level of 2 (on an unspecified scale), analysis level 1, and distribution level 3, which may indicate moderate dissemination but limited analytical depth. The lack of concrete indicators of compromise (IOCs) in the entry restricts the ability to perform detailed forensic or detection rule development. The classification under OSINT and network activity suggests the malware may be used for reconnaissance or data gathering, possibly to support further targeted attacks or espionage. Payload delivery categorization indicates the malware includes mechanisms to deliver malicious code or commands over the network, which could be used to compromise systems or exfiltrate data. Overall, the entry represents a medium-level threat that requires vigilance but does not currently indicate a critical or widespread campaign.
Potential Impact
For European organizations, the threat poses a moderate risk primarily to confidentiality and integrity due to its OSINT and payload delivery nature. Organizations heavily reliant on open-source intelligence tools or those with exposed network services may be targeted for reconnaissance or initial compromise. The lack of known exploits and patches suggests the threat may exploit operational security weaknesses or social engineering rather than software vulnerabilities. Potential impacts include unauthorized data collection, network infiltration, and subsequent payload execution leading to data exfiltration or lateral movement within networks. The medium severity rating implies that while the threat is not immediately critical, it could escalate if leveraged by more capable adversaries or combined with other attack vectors. Disruption of availability is less likely based on current information, but indirect effects such as operational delays or incident response costs could be significant. European sectors with high-value intelligence or critical infrastructure may face increased targeting, necessitating enhanced monitoring and threat intelligence sharing.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice by: 1) Enhancing network traffic monitoring with a focus on detecting unusual payload delivery patterns and OSINT-related reconnaissance activities. 2) Integrating ThreatFox and other OSINT feeds into Security Information and Event Management (SIEM) systems to improve detection of emerging IOCs once available. 3) Conducting regular threat hunting exercises focused on network activity anomalies and potential payload delivery channels. 4) Restricting and segmenting network access to limit lateral movement opportunities for malware payloads. 5) Training security teams to recognize early signs of OSINT-based reconnaissance and payload delivery tactics. 6) Collaborating with national Computer Emergency Response Teams (CERTs) and sharing intelligence to stay updated on evolving threats. 7) Reviewing and hardening configurations of OSINT tools and network services to reduce exposure. 8) Employing endpoint detection and response (EDR) solutions capable of identifying suspicious payload execution behaviors. These steps will help mitigate the risk posed by this medium-level threat and improve overall resilience against similar malware campaigns.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- e6ff8ef2-7ac4-41e7-9a53-e434e4de7177
- Original Timestamp
- 1763596985
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://202.155.141.62:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://digital-marketing-pro-365.com/api/upload | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://digital-marketing-pro-365.com/api/tasks | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://4.221.211.80:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://14.128.53.148:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://playgoogle-gpttrade.com/gpt%20trade.apk | Unknown malware payload delivery URL (confidence level: 50%) | |
urlhttp://95.164.53.100/private/yarsap_80541.php | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttp://95.164.53.100:8080/ | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttp://185.196.10.188 | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://45.159.189.140 | Amadey botnet C2 (confidence level: 100%) | |
urlhttps://178.16.54.175/fc98bed393364b52.php | Stealc botnet C2 (confidence level: 50%) | |
urlhttps://www.remittances.oemsupport.co.za/ | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrfzjjfsrzj.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrfzjjfsrzjr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogddhjtdj.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogddhjtdjr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrefsesg.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrefsesgr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrhdthsr.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrhdthsrr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrsfsegh.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrsfseghr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrsfzjfs.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrsfzjfsr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrshggir.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrshggirr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrshghsh.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrshghshr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrstjgrr.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrogrstjgrrr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrsrgsreidg.ru/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttp://rghirgsrsrgsreidgr.su/ | Phorpiex botnet C2 (confidence level: 50%) | |
urlhttps://sol.clashofmaps.vip/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://sol.mummyhildasrice.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://arkanix.pw/api/session/create | Unknown Stealer botnet C2 (confidence level: 100%) | |
urlhttps://arkanix.pw/delivery | Unknown Stealer botnet C2 (confidence level: 100%) | |
urlhttps://arkanix.pw/api/discord-injection/template | Unknown Stealer botnet C2 (confidence level: 100%) | |
urlhttps://46.62.245.61/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.217.246.10/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://5.75.216.214/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://91.98.235.73/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://91.99.193.141/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.216.180.226/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://116.202.176.212/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.39.18/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://135.181.41.44/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://fra.nigeriaafricatime.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://stickvpn.com/get.php?oid=ad9bc13f7f50318a1e7d6f8f95b7f479 | ClearFake payload delivery URL (confidence level: 75%) | |
urlhttp://apple-service.bet/get.php?oid=ad9bc13f7f50318a1e7d6f8f95b7f479 | ClearFake payload delivery URL (confidence level: 75%) | |
urlhttps://koleporter.com/propagation/yup.js | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://koleporter.com/propagation/propagate.php | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://koleporter.com/propagation/png.js | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://possiblcix.com/meta | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://eco-technic.com/sdjkkxx.zip | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttp://77.90.185.45/ | Hook botnet C2 (confidence level: 50%) | |
urlhttp://185.173.38.8:8080/ | Chaos botnet C2 (confidence level: 50%) | |
urlhttps://resusct.qpon/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://verify-connection.sbs | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://helpforyourdepression.com/1.wav | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://sxwajnextcloud.csmanay.com | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://rdweb.csmanay.com | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://store.csmanay.com | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://protection-hub.cfd | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://flipgg.sbs | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://app-sanctum.top | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561198767911792 | Vidar botnet C2 (confidence level: 75%) | |
urlhttps://axlom-app.cfd | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://app-marginfi.sbs | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://servidorunico.com/config/token.txt | Unknown malware botnet C2 (confidence level: 50%) | |
urlhttps://app-everstake.cfd | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://transition-gate.help | Unknown malware payload delivery URL (confidence level: 100%) | |
urlhttps://gjt.clashofmaps.vip/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://gjt.mummyhildasrice.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://68.210.136.253:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://nudump.com | Amadey botnet C2 (confidence level: 100%) | |
urlhttp://91.211.251.106 | Stealc botnet C2 (confidence level: 100%) | |
urlhttp://198.199.75.154/set.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://ukhorizons.com/4e5e.js | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://ukhorizons.com/js.php | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttp://69.67.172.194:6655/meta | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://demo.guetteinsurance.com/revised/contract/teamsfinal/teams/windows/invite.php | Unknown RAT payload delivery URL (confidence level: 50%) | |
urlhttps://solardairy.com/excel/windows/invite.php | Unknown RAT payload delivery URL (confidence level: 50%) | |
urlhttps://us03zoomwebjoin.com/windows/invite.php | Unknown RAT payload delivery URL (confidence level: 50%) | |
urlhttps://strivora.digital/d/windows/invite.php | Unknown RAT payload delivery URL (confidence level: 50%) | |
urlhttps://revised-doc.com/excel/now/windows/invite.php | Unknown RAT payload delivery URL (confidence level: 50%) | |
urlhttps://www.hotelthilanka.com/ | Unknown malware payload delivery URL (confidence level: 50%) |
File
| Value | Description | Copy |
|---|---|---|
file202.155.141.62 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.83.207.191 | Mirai botnet C2 server (confidence level: 80%) | |
file154.6.197.36 | Mirai botnet C2 server (confidence level: 80%) | |
file213.209.143.62 | Mirai botnet C2 server (confidence level: 80%) | |
file35.192.163.54 | Unknown malware botnet C2 server (confidence level: 100%) | |
file85.9.200.153 | MimiKatz botnet C2 server (confidence level: 100%) | |
file168.245.200.119 | Meterpreter botnet C2 server (confidence level: 100%) | |
file77.110.114.65 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file144.76.96.36 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file37.221.93.81 | Mirai botnet C2 server (confidence level: 100%) | |
file117.72.195.22 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.219.134.47 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.74.15.133 | Remcos botnet C2 server (confidence level: 100%) | |
file83.136.210.210 | Remcos botnet C2 server (confidence level: 100%) | |
file87.251.69.96 | Sliver botnet C2 server (confidence level: 100%) | |
file54.219.247.190 | Sliver botnet C2 server (confidence level: 100%) | |
file172.86.113.235 | SectopRAT botnet C2 server (confidence level: 100%) | |
file172.86.113.240 | SectopRAT botnet C2 server (confidence level: 100%) | |
file109.71.245.105 | Unknown malware botnet C2 server (confidence level: 100%) | |
file77.110.102.196 | Hook botnet C2 server (confidence level: 100%) | |
file185.72.199.82 | Venom RAT botnet C2 server (confidence level: 100%) | |
file23.27.169.36 | DCRat botnet C2 server (confidence level: 100%) | |
file45.64.113.97 | MooBot botnet C2 server (confidence level: 100%) | |
file72.60.70.33 | Unknown malware botnet C2 server (confidence level: 100%) | |
file107.173.227.99 | Remcos botnet C2 server (confidence level: 100%) | |
file23.248.214.26 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.98.129.151 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file156.234.94.204 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file110.41.3.12 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file178.16.52.138 | Latrodectus botnet C2 server (confidence level: 100%) | |
file158.94.209.192 | Latrodectus botnet C2 server (confidence level: 100%) | |
file140.228.29.75 | Remcos botnet C2 server (confidence level: 100%) | |
file45.145.42.138 | Remcos botnet C2 server (confidence level: 100%) | |
file47.98.215.228 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.177.239.95 | Hook botnet C2 server (confidence level: 100%) | |
file51.94.189.33 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file51.94.189.33 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file185.234.75.84 | Bashlite botnet C2 server (confidence level: 75%) | |
file1.161.69.16 | QakBot botnet C2 server (confidence level: 75%) | |
file158.247.237.29 | Sliver botnet C2 server (confidence level: 75%) | |
file8.132.227.59 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file223.26.62.216 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file121.127.233.109 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file194.68.44.13 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file43.140.35.156 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.159.99.47 | Mirai botnet C2 server (confidence level: 75%) | |
file5.255.105.69 | Mirai botnet C2 server (confidence level: 75%) | |
file94.228.169.227 | Remcos botnet C2 server (confidence level: 100%) | |
file79.137.248.188 | Remcos botnet C2 server (confidence level: 100%) | |
file216.126.239.141 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.98.254.140 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file66.154.127.129 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.156.87.159 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file103.103.46.39 | Unknown malware botnet C2 server (confidence level: 100%) | |
file83.216.113.194 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.95.165.37 | Unknown malware botnet C2 server (confidence level: 100%) | |
file109.74.144.151 | Unknown malware botnet C2 server (confidence level: 100%) | |
file23.22.49.187 | Unknown malware botnet C2 server (confidence level: 100%) | |
file2.59.156.227 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.233.19.9 | Unknown malware botnet C2 server (confidence level: 100%) | |
file8.131.103.16 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file178.173.234.156 | Remcos botnet C2 server (confidence level: 100%) | |
file203.86.233.121 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
file18.185.89.255 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file209.200.246.43 | Crimson RAT botnet C2 server (confidence level: 100%) | |
file107.175.246.23 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file101.37.100.133 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file104.160.9.139 | Meterpreter botnet C2 server (confidence level: 75%) | |
file145.223.69.191 | Meterpreter botnet C2 server (confidence level: 75%) | |
file185.180.221.8 | Meterpreter botnet C2 server (confidence level: 75%) | |
file47.242.129.79 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file84.32.10.28 | Meterpreter botnet C2 server (confidence level: 75%) | |
file46.62.245.61 | Vidar botnet C2 server (confidence level: 100%) | |
file95.217.246.10 | Vidar botnet C2 server (confidence level: 100%) | |
file5.75.216.214 | Vidar botnet C2 server (confidence level: 100%) | |
file46.62.240.209 | Vidar botnet C2 server (confidence level: 100%) | |
file91.98.235.73 | Vidar botnet C2 server (confidence level: 100%) | |
file91.99.193.141 | Vidar botnet C2 server (confidence level: 100%) | |
file95.216.180.226 | Vidar botnet C2 server (confidence level: 100%) | |
file116.202.176.212 | Vidar botnet C2 server (confidence level: 100%) | |
file49.13.39.18 | Vidar botnet C2 server (confidence level: 100%) | |
file135.181.41.44 | Vidar botnet C2 server (confidence level: 100%) | |
file46.247.108.59 | Remcos botnet C2 server (confidence level: 75%) | |
file5.252.177.120 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file172.245.112.203 | Remcos botnet C2 server (confidence level: 100%) | |
file8.155.161.181 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.60.60.119 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file139.59.182.58 | Sliver botnet C2 server (confidence level: 100%) | |
file20.218.226.85 | Sliver botnet C2 server (confidence level: 100%) | |
file34.9.142.238 | Unknown malware botnet C2 server (confidence level: 100%) | |
file143.110.187.124 | Hook botnet C2 server (confidence level: 100%) | |
file75.174.70.217 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file212.11.64.30 | DCRat botnet C2 server (confidence level: 100%) | |
file79.241.103.65 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file18.227.26.237 | PoshC2 botnet C2 server (confidence level: 100%) | |
file120.27.206.92 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file196.65.214.27 | Meterpreter botnet C2 server (confidence level: 100%) | |
file18.205.21.130 | Meterpreter botnet C2 server (confidence level: 100%) | |
file38.242.151.91 | BianLian botnet C2 server (confidence level: 100%) | |
file95.164.123.63 | Vidar botnet C2 server (confidence level: 100%) | |
file91.214.78.137 | Vidar botnet C2 server (confidence level: 100%) | |
file95.164.53.17 | Vidar botnet C2 server (confidence level: 100%) | |
file20.6.131.45 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file107.148.50.75 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.194.153.128 | DCRat botnet C2 server (confidence level: 100%) | |
file212.11.64.30 | DCRat botnet C2 server (confidence level: 100%) | |
file103.45.233.213 | XWorm botnet C2 server (confidence level: 100%) | |
file102.37.156.171 | Havoc botnet C2 server (confidence level: 75%) | |
file121.209.145.42 | QakBot botnet C2 server (confidence level: 75%) | |
file186.212.28.246 | Havoc botnet C2 server (confidence level: 75%) | |
file34.172.85.181 | Unknown malware botnet C2 server (confidence level: 75%) | |
file47.237.171.208 | Chaos botnet C2 server (confidence level: 75%) | |
file77.49.179.35 | QakBot botnet C2 server (confidence level: 75%) | |
file98.87.114.152 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file124.70.39.137 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file91.92.243.20 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file156.234.216.171 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file117.72.206.244 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.84.30.113 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file178.16.55.10 | Sliver botnet C2 server (confidence level: 100%) | |
file144.172.106.140 | Sliver botnet C2 server (confidence level: 100%) | |
file34.135.61.121 | Unknown malware botnet C2 server (confidence level: 100%) | |
file44.201.144.100 | Unknown malware botnet C2 server (confidence level: 100%) | |
file64.176.179.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.61.157.22 | Venom RAT botnet C2 server (confidence level: 100%) | |
file144.31.221.154 | Unknown malware botnet C2 server (confidence level: 100%) | |
file206.238.196.220 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file198.46.173.11 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file98.142.247.134 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 80%) | |
hash1999 | Mirai botnet C2 server (confidence level: 80%) | |
hash56999 | Mirai botnet C2 server (confidence level: 80%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash7075 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash7705 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash3778 | Mirai botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2405 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8000 | Sliver botnet C2 server (confidence level: 100%) | |
hash17018 | Sliver botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash45051 | Hook botnet C2 server (confidence level: 100%) | |
hash7000 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash8848 | DCRat botnet C2 server (confidence level: 100%) | |
hash443 | MooBot botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35 | Unknown malware payload (confidence level: 50%) | |
hash918f002a41f9551d48ece999ccba504fcf7596017d9566c07c5335fe0081effe | Unknown malware payload (confidence level: 50%) | |
hash7f005c10f80372311e9c038526d81d931672d15c644fef2a77eefd67c6235917 | Unknown malware payload (confidence level: 50%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash6781 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash65530 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3184 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8088 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Latrodectus botnet C2 server (confidence level: 100%) | |
hash443 | Latrodectus botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash5060 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash52260 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash6667 | Bashlite botnet C2 server (confidence level: 75%) | |
hash443 | QakBot botnet C2 server (confidence level: 75%) | |
hash8080 | Sliver botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash5566 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash66 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash3512 | Mirai botnet C2 server (confidence level: 75%) | |
hash48996 | Mirai botnet C2 server (confidence level: 75%) | |
hash5122 | Remcos botnet C2 server (confidence level: 100%) | |
hash7099 | Remcos botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash10443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8080 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4848 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash92 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash81 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash7374 | Remcos botnet C2 server (confidence level: 100%) | |
hash1912 | RedLine Stealer botnet C2 server (confidence level: 100%) | |
hash18100 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1912 | Crimson RAT botnet C2 server (confidence level: 100%) | |
hash3650 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash12096 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash4444 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash5888 | Remcos botnet C2 server (confidence level: 75%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash6790 | Remcos botnet C2 server (confidence level: 100%) | |
hash8099 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8089 | Hook botnet C2 server (confidence level: 100%) | |
hash80 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash591 | DCRat botnet C2 server (confidence level: 100%) | |
hash82 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash443 | PoshC2 botnet C2 server (confidence level: 100%) | |
hash6443 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash2222 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash6004 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash8080 | BianLian botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7000 | DCRat botnet C2 server (confidence level: 100%) | |
hash8080 | DCRat botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash445 | Havoc botnet C2 server (confidence level: 75%) | |
hash2222 | QakBot botnet C2 server (confidence level: 75%) | |
hash8081 | Havoc botnet C2 server (confidence level: 75%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 75%) | |
hash8080 | Chaos botnet C2 server (confidence level: 75%) | |
hash995 | QakBot botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash6781 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash8000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8083 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash62520 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash1912 | RedLine Stealer botnet C2 server (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainvcc-library.uk | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domaindigital-marketing-pro-365.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainwee-wee-gachi-master.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainnewtry.app | Unknown RAT botnet C2 domain (confidence level: 100%) | |
domainweald.0akstream.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainharbr.deepv0yage.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingleem.deepv0yage.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintrakk.deepv0yage.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwolke.deepv0yage.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpfed.deepv0yage.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindrizz.rainv1sta.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmedow.rainv1sta.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingusty.rainv1sta.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvally.s0ftvale.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwylde.s0ftvale.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbreez.s0ftvale.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsilem.s0ftvale.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfoggy.mistytrai1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpfth.mistytrai1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbydfiexchange.live | Unknown malware payload delivery domain (confidence level: 100%) | |
domainturne.mistytrai1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingloww.brightden.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindawne.brightden.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbrisk.brightden.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsumer.brightden.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainambr.firer1dge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbrige.firer1dge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincindr.firer1dge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainflair.firer1dge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainargent.s1lvergate.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainweald.s1lvergate.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbruke.s1lvergate.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwolkr.2tannenpfad.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbirhc.2tannenpfad.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingleem.2tannenpfad.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrauch.2tannenpfad.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainstern.aurora1hain.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmoos.aurora1hain.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainglowe.aurora1hain.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfjord.kieselufer8.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfalke.kieselufer8.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintimeserver.uasecurity.org | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainaptabase.fud2026.xyz | Unknown malware botnet C2 domain (confidence level: 50%) | |
domainkleea.kieselufer8.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainudefined30.domainofhonour40.xyz | Tuoni botnet C2 domain (confidence level: 50%) | |
domainkupaoquan.com | Tuoni botnet C2 domain (confidence level: 50%) | |
domainweiss.kieselufer8.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhuckypet.ydns.eu | Remcos botnet C2 domain (confidence level: 100%) | |
domainhuckypet2.ydns.eu | Remcos botnet C2 domain (confidence level: 100%) | |
domainsyonr-23784.portmap.io | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domaininterest-weather.gl.at.ply.gg | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainparties-trance.gl.at.ply.gg | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domaindune.kieselufer8.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincdn.xoilac86s.cc | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domaingatex.www.moroccancam.com | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainstatic.xoilac86s.cc | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainxoilacv.ac | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainconsultaprocesosramajudicialgov.run.place | DCRat botnet C2 domain (confidence level: 50%) | |
domainbot.sinestreacute.fun | Mirai botnet C2 domain (confidence level: 50%) | |
domainrghirgsrfzjjfsrzj.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrfzjjfsrzjr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogddhjtdj.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogddhjtdjr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrefsesg.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrefsesgr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrhdthsr.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrhdthsrr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrsfsegh.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrsfseghr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrsfzjfsr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrshggirr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrshghsh.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrshghshr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrstjgrr.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrogrstjgrrr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrsrgsreidg.ru | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainrghirgsrsrgsreidgr.su | Phorpiex botnet C2 domain (confidence level: 50%) | |
domainmilogviolo.ddns.net | Quasar RAT botnet C2 domain (confidence level: 50%) | |
domainthales3033.com | Remcos botnet C2 domain (confidence level: 50%) | |
domainsubmit-offered.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaintake-fragrances.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domaineis.nebulaquelle3.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwolfe.nebulaquelle3.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainlicht.nebulaquelle3.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainufer.spruce5moor.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsol.clashofmaps.vip | Vidar botnet C2 domain (confidence level: 100%) | |
domainsol.mummyhildasrice.com | Vidar botnet C2 domain (confidence level: 100%) | |
domaingeist.spruce5moor.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsterm.echo6fern.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbrise.echo6fern.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintal.echo6fern.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainglade.hollow7ridge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainglint.basaltwisp9.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrauch.nebulaquelle3.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvapr.basaltwisp9.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainember.basaltwisp9.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbrutalinfgonzasochi.com | Latrodectus botnet C2 domain (confidence level: 100%) | |
domainardotcharleybuking.com | Latrodectus botnet C2 domain (confidence level: 100%) | |
domainquarz.basaltwisp9.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrune.spruce5moor.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkorn.echo6fern.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainweald.echo6fern.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindrb.amin0mer3ges.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingrove.hollow7ridge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainklif.hollow7ridge.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvale.amin0mer3ges.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainyp.amin0mer3ges.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainha.amin0mer3ges.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainxq9.diab4uette.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindelta.diab4uette.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaini9.diab4uette.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingodabeg.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainnavox.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainoilmoney.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domaingodwilling.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainwealthyme.ddns.net | NetWire RC botnet C2 domain (confidence level: 100%) | |
domainyq9g.diab4uette.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwn.n0v0se1prew.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainalpha3.n0v0se1prew.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincore.n0v0se1prew.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainloom.n0v0se1prew.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain5bwm.galy8phony.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainanchor.galy8phony.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainyl56b.galy8phony.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainecho.galy8phony.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainblink8.brahtr0phy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfra.nigeriaafricatime.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainflux.brahtr0phy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainl7ks5.brahtr0phy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwave6.brahtr0phy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintrace.nob0dy5yabky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjta2v.nob0dy5yabky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainq5z.nob0dy5yabky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjcw.nob0dy5yabky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvivid8.kalmykvic0te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainww8.kalmykvic0te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain5f.kalmykvic0te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkoleporter.com | NetSupportManager RAT payload delivery domain (confidence level: 100%) | |
domainkjh.servebeer.com | Mirai botnet C2 domain (confidence level: 50%) | |
domaingenbloke.mywire.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainwinwin24.mywire.org | Remcos botnet C2 domain (confidence level: 50%) | |
domainpolitics-tower.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 50%) | |
domainnova.kalmykvic0te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainlr9kw.c0rkpr0tect.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsetforsurerealz.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainblindersxorrect.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domaingrasshopper3030goals.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainresusct.qpon | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domain34m37.c0rkpr0tect.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainynk.c0rkpr0tect.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbeacon.c0rkpr0tect.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainspark3.primurib1er.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvrxl3.primurib1er.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainverify-connection.sbs | Unknown malware payload delivery domain (confidence level: 100%) | |
domainrdweb.csmanay.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainsxwajnextcloud.csmanay.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainstore.csmanay.com | Unknown malware payload delivery domain (confidence level: 100%) | |
domainprotection-hub.cfd | Unknown malware payload delivery domain (confidence level: 100%) | |
domainflipgg.sbs | Unknown malware payload delivery domain (confidence level: 100%) | |
domainrift.primurib1er.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainapp-sanctum.top | Unknown malware payload delivery domain (confidence level: 100%) | |
domainaxlom-app.cfd | Unknown malware payload delivery domain (confidence level: 100%) | |
domainapp-marginfi.sbs | Unknown malware payload delivery domain (confidence level: 100%) | |
domainr7mc8.primurib1er.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainapp-everstake.cfd | Unknown malware payload delivery domain (confidence level: 100%) | |
domaintransition-gate.help | Unknown malware payload delivery domain (confidence level: 100%) | |
domainwolke.immigrant5p.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainglade.immigrant5p.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrune.immigrant5p.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmoor.immigrant5p.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingeist.grin5cra7ers.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingjt.clashofmaps.vip | Vidar botnet C2 domain (confidence level: 100%) | |
domaingjt.mummyhildasrice.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainufer.grin5cra7ers.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainklee.grin5cra7ers.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainstern.fo0operate1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainweald.fo0operate1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfalke.fo0operate1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintau.fo0operate1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindorn.fo0operate1.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbirch.cou10sheaf.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhain.cou10sheaf.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainlicht.cou10sheaf.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsturm.payc0medy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpfad.payc0medy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainthreadproperty.xyz | Unknown Loader botnet C2 domain (confidence level: 100%) | |
domainbrise.payc0medy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainukhorizons.com | KongTuke payload delivery domain (confidence level: 100%) | |
domainwald.payc0medy.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainadler.capi1aryhold.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmoos.capi1aryhold.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainharz.capi1aryhold.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingleis.capi1aryhold.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintal.capi1aryhold.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrauch.f1rst5rup.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfjord.f1rst5rup.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkorn.f1rst5rup.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwolfe.guan0mesca.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaineiche.guan0mesca.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbach.guan0mesca.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingrat.guan0mesca.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainweiss.ve1vetc0ves.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfalx.ve1vetc0ves.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincloud.ve1vetc0ves.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkamm.ve1vetc0ves.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrill.ve1vetc0ves.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwi1nd.dr0gaguaran.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainba3ch.dr0gaguaran.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpf4ad.dr0gaguaran.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmo0or.dr0gaguaran.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainha2fen.bil1sun8en.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainu9fer.bil1sun8en.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainst1ern.bil1sun8en.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwal3d.deane4y5not.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingl0ow.deane4y5not.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmi5st.deane4y5not.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkra2ut.deane4y5not.ru | ClearFake payload delivery domain (confidence level: 100%) |
Threat ID: 691e5c7df78d7eef03ef1825
Added to database: 11/20/2025, 12:10:37 AM
Last enriched: 11/20/2025, 12:17:36 AM
Last updated: 11/20/2025, 3:54:31 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Sort by
Loading community insights…
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
HelixGuard uncovers malicious "spellchecker" packages on PyPI using multi-layer encryption to steal crypto wallets.
MediumMalwareThu Nov 20 2025
UK Exposes Bulletproof Hosting Operator Linked to BlackBasta, Evil Corp and LockBit Ransomware
MediumMalwareWed Nov 19 2025
License to Encrypt: Make Their Move
MediumMalwareWed Nov 19 2025
WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization
MediumMalwareWed Nov 19 2025
GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices
MediumMalwareWed Nov 19 2025
Actions
PRO
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.