ThreatFox IOCs for 2025-12-20
ThreatFox IOCs for 2025-12-20
AI Analysis
Technical Summary
This entry from the ThreatFox MISP feed dated December 20, 2025, describes a malware-related threat focused on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the data lacks specific indicators of compromise (IOCs), affected product versions, or detailed technical exploit information. The threat is tagged with 'type:osint' and 'tlp:white', indicating it is publicly shareable and related to open-source intelligence gathering or usage. The absence of known exploits in the wild and lack of available patches suggest this is either a newly identified or low-activity threat. The technical details provide a threat level of 2 (on an unspecified scale), analysis rating of 1, and distribution rating of 3, implying moderate distribution but limited analysis depth. The malware classification and network activity tags suggest the threat may involve payload delivery mechanisms possibly used in reconnaissance or initial infection stages. Without concrete IOCs or affected software versions, it is difficult to ascertain the exact attack vectors or targets. This information appears to serve as an early warning or intelligence update rather than a report of active exploitation. The lack of CWE identifiers further limits understanding of the underlying vulnerabilities or weaknesses exploited. Overall, this threat represents a medium-severity informational alert emphasizing the need for continued monitoring and OSINT analysis rather than immediate defensive action.
Potential Impact
Given the limited technical details and absence of known exploits, the immediate impact on European organizations is likely low to medium. The threat's focus on OSINT and network activity suggests it may be used for reconnaissance or as a precursor to more targeted attacks, potentially enabling adversaries to gather intelligence or deliver payloads in later stages. If leveraged effectively, it could compromise confidentiality by exposing sensitive information or facilitate integrity and availability attacks through payload delivery. However, without specific exploitation data or affected systems, the direct operational impact remains uncertain. European organizations relying heavily on network monitoring, threat intelligence platforms, or OSINT tools may experience increased exposure or false positives. The medium severity rating indicates a moderate risk level, warranting vigilance but not immediate alarm. The lack of patches or exploits in the wild reduces urgency but underscores the importance of proactive threat intelligence integration and network defense readiness.
Mitigation Recommendations
1. Enhance OSINT and network monitoring capabilities to detect unusual or suspicious activity related to payload delivery or reconnaissance. 2. Integrate ThreatFox and similar threat intelligence feeds into Security Information and Event Management (SIEM) systems to correlate and analyze emerging indicators once available. 3. Conduct regular threat hunting exercises focusing on network activity anomalies and potential early-stage malware indicators. 4. Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying unknown or emerging malware behaviors. 5. Train security teams on interpreting OSINT-related threat intelligence to improve contextual understanding and response prioritization. 6. Implement strict network segmentation and least privilege access controls to limit potential lateral movement if payload delivery occurs. 7. Prepare incident response plans that include scenarios involving OSINT-driven reconnaissance and payload delivery tactics. 8. Collaborate with information sharing communities to receive timely updates and share findings related to this threat. These measures go beyond generic advice by focusing on proactive intelligence integration, behavioral detection, and organizational preparedness tailored to OSINT and network activity threats.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- url: http://107.172.75.201:8888/supershell/login/
- url: http://45.131.184.34/bot
- domain: cm88.gb.net
- domain: mx1.sa.com
- domain: giftingbuddy.in.net
- domain: egestx.ru.com
- domain: aref.co.com
- domain: muk3av.cr1pptit2n.ru
- domain: hirqat.cr1pptit2n.ru
- domain: vesnug.cr1pptit2n.ru
- domain: ryfkel.cl0udmist.ru
- domain: vilqon.cl0udmist.ru
- domain: homtaz.cl0udmist.ru
- domain: gepsir.cl0udmist.ru
- domain: zuv1ak.cl0udmist.ru
- domain: miprol.datashade.ru
- domain: serqut.datashade.ru
- domain: laxven.datashade.ru
- domain: jorbin.datashade.ru
- domain: tufeck.datashade.ru
- domain: qidrom.rainpixel.ru
- domain: besvyl.rainpixel.ru
- domain: nurqet.rainpixel.ru
- domain: fayl0n.rainpixel.ru
- domain: homzir.rainpixel.ru
- domain: pelvar.mintbrook.ru
- domain: sulqen.mintbrook.ru
- domain: rovdit.mintbrook.ru
- domain: kimz0r.mintbrook.ru
- domain: javnek.mintbrook.ru
- domain: dean.it.com
- domain: xenvop.clearl1nk.ru
- file: 117.72.220.129
- hash: 5555
- file: 38.55.99.179
- hash: 8082
- file: 123.60.15.107
- hash: 4444
- file: 163.5.149.126
- hash: 9000
- file: 165.154.225.249
- hash: 443
- file: 106.15.124.100
- hash: 8000
- file: 124.221.196.251
- hash: 8888
- file: 103.158.37.31
- hash: 8888
- file: 158.94.208.111
- hash: 8808
- file: 102.117.173.78
- hash: 7443
- file: 54.232.144.183
- hash: 7443
- file: 158.94.210.44
- hash: 80
- file: 42.114.43.134
- hash: 443
- file: 209.250.233.184
- hash: 4782
- file: 103.177.46.118
- hash: 3790
- domain: tridam.clearl1nk.ru
- domain: rieege.mx
- domain: lojqes.clearl1nk.ru
- domain: karf1x.clearl1nk.ru
- file: 212.11.64.102
- hash: 58002
- domain: hubrel.clearl1nk.ru
- domain: vemqot.mistysky.ru
- domain: silran.mistysky.ru
- domain: pudlex.mistysky.ru
- domain: norf1m.mistysky.ru
- domain: jadwok.mistysky.ru
- file: 104.248.201.61
- hash: 8001
- file: 134.209.86.116
- hash: 8001
- file: 159.65.197.180
- hash: 8001
- file: 167.172.211.181
- hash: 8001
- file: 164.90.204.137
- hash: 8001
- file: 161.35.84.112
- hash: 8001
- domain: tilzor.windc0met.ru
- domain: feqvan.windc0met.ru
- domain: xubmel.windc0met.ru
- domain: garp1s.windc0met.ru
- domain: asfdavsdgkas-37221.portmap.host
- domain: casinogame.it.com
- domain: movtik.windc0met.ru
- domain: dafryl.stonem1st.ru
- domain: vimqon.stonem1st.ru
- domain: tulsac.stonem1st.ru
- domain: herp0n.stonem1st.ru
- domain: jaxvel.stonem1st.ru
- domain: muxlin.wavec0re.ru
- domain: sevqor.wavec0re.ru
- domain: talfem.wavec0re.ru
- domain: rijd0n.wavec0re.ru
- domain: kobwex.wavec0re.ru
- domain: zinrum.darkn0va.ru
- domain: pelqix.darkn0va.ru
- file: 107.174.184.190
- hash: 443
- file: 34.136.96.204
- hash: 7443
- file: 176.136.159.35
- hash: 4444
- file: 84.21.173.117
- hash: 1080
- file: 8.216.41.238
- hash: 65503
- file: 103.177.47.75
- hash: 3790
- file: 103.177.46.41
- hash: 3790
- file: 112.220.72.117
- hash: 80
- file: 13.250.58.122
- hash: 443
- domain: hofdan.darkn0va.ru
- domain: gurs0l.darkn0va.ru
- domain: tavmec.darkn0va.ru
- domain: vexrum.rockf1eld.ru
- file: 107.174.184.190
- hash: 8888
- file: 165.154.225.249
- hash: 8443
- file: 165.154.225.249
- hash: 8888
- file: 54.190.173.10
- hash: 443
- domain: dilqat.rockf1eld.ru
- domain: zorpev.rockf1eld.ru
- domain: him3al.rockf1eld.ru
- domain: jaknuf.rockf1eld.ru
- domain: morvex.nightcl0ud.ru
- domain: zilpun.nightcl0ud.ru
- domain: recargamos.co.com
- domain: daqrel.nightcl0ud.ru
- domain: futs0n.nightcl0ud.ru
- domain: kerjub.nightcl0ud.ru
- domain: ctya.windc0re.ru
- domain: 91de.windc0re.ru
- domain: shadow.windc0re.ru
- domain: storm.windc0re.ru
- domain: api.vxucqb.dpdns.org
- file: 47.115.175.62
- hash: 80
- domain: link.darkc0de.ru
- file: 156.234.251.22
- hash: 54909
- file: 162.243.28.13
- hash: 4444
- file: 93.127.142.21
- hash: 8443
- file: 188.25.173.157
- hash: 8443
- file: 60.246.128.198
- hash: 8443
- file: 173.177.2.122
- hash: 8443
- file: 193.183.245.243
- hash: 8443
- file: 96.48.125.171
- hash: 8443
- file: 218.164.173.3
- hash: 8443
- file: 103.28.65.230
- hash: 8443
- file: 113.192.86.111
- hash: 8443
- file: 101.42.226.223
- hash: 3333
- file: 65.21.183.44
- hash: 3333
- file: 54.161.165.7
- hash: 443
- file: 125.88.238.62
- hash: 3333
- file: 3.77.105.68
- hash: 80
- file: 3.77.105.68
- hash: 443
- file: 104.129.12.210
- hash: 3333
- file: 3.122.90.47
- hash: 443
- domain: ydmnx.darkc0de.ru
- domain: night.darkc0de.ru
- domain: shine.darkc0de.ru
- domain: gamma.rain5tone.ru
- domain: light.rain5tone.ru
- file: 45.141.27.250
- hash: 6000
- domain: realtopka-50211.portmap.host
- file: 161.248.14.125
- hash: 444
- file: 45.79.216.201
- hash: 443
- domain: q9b.rain5tone.ru
- domain: core.rain5tone.ru
- domain: kpu.nightf0rm.ru
- domain: cloud.nightf0rm.ru
- domain: nova.nightf0rm.ru
- domain: pine.nightf0rm.ru
- domain: bxo57.stormw1ng.ru
- domain: 68s.stormw1ng.ru
- domain: fl21d.stormw1ng.ru
- domain: elisauy.ru.com
- domain: adcn.stormw1ng.ru
- domain: 8c.wavec0met.ru
- domain: spark.wavec0met.ru
- domain: wlvpw.wavec0met.ru
- domain: gate.wavec0met.ru
- domain: crest.datam1st.ru
- domain: 8x.datam1st.ru
- file: 103.112.99.226
- hash: 443
- domain: o1h5i.datam1st.ru
- file: 154.91.66.131
- hash: 6666
- domain: clear.datam1st.ru
- domain: gma.stonel1nk.ru
- domain: omega.stonel1nk.ru
- domain: pixel.stonel1nk.ru
- domain: mist.stonel1nk.ru
- domain: frost.sunsh1ne.ru
- domain: range.sunsh1ne.ru
- file: 139.159.149.202
- hash: 8880
- file: 185.39.19.53
- hash: 5000
- file: 130.162.44.203
- hash: 9999
- file: 45.78.196.40
- hash: 7443
- file: 65.108.109.95
- hash: 7443
- file: 157.15.98.82
- hash: 80
- file: 103.85.226.13
- hash: 4444
- file: 98.94.88.131
- hash: 51005
- file: 54.37.15.75
- hash: 443
- domain: 0up.sunsh1ne.ru
- domain: blue.sunsh1ne.ru
- domain: ic.softp1ne.ru
- domain: trace.softp1ne.ru
- domain: plnb3.softp1ne.ru
- domain: bite.softp1ne.ru
- domain: wind.mistf1eld.ru
- domain: nexus.mistf1eld.ru
- domain: bird.mistf1eld.ru
- domain: u6uek.mistf1eld.ru
- domain: soft.clearb1te.ru
- domain: ampz4.clearb1te.ru
- domain: rc.clearb1te.ru
- domain: 135y.clearb1te.ru
- domain: rain.cloudb1rd.ru
- domain: uy.cloudb1rd.ru
- domain: line.cloudb1rd.ru
- file: 104.243.26.92
- hash: 443
- file: 157.20.182.24
- hash: 4443
- file: 34.232.172.247
- hash: 443
- file: 36.158.214.147
- hash: 10250
- file: 58.221.45.172
- hash: 10250
- file: 69.162.101.235
- hash: 51854
- file: 75.128.224.65
- hash: 8080
- domain: sgbvj.cloudb1rd.ru
- domain: 0tmh.frostc0met.ru
- domain: 0ej.frostc0met.ru
- domain: 59l.frostc0met.ru
- domain: 15.frostc0met.ru
- domain: chx.darkl1ne.ru
- domain: field.darkl1ne.ru
- file: 120.24.64.74
- hash: 63201
- file: 34.209.232.97
- hash: 2000
- domain: beta.darkl1ne.ru
- domain: 7a19u.darkl1ne.ru
- domain: mk1qq.rainf0x.ru
- domain: micp.rainf0x.ru
- url: http://taymurazwarclavow.space:8080/updater?for=81d1b730207b50bc16231686b723b33f
- domain: wing.rainf0x.ru
- domain: n774.rainf0x.ru
- domain: 5bvg1.stormp1ne.ru
- domain: sb.stormp1ne.ru
- domain: 3a.stormp1ne.ru
- domain: es4.stormp1ne.ru
- domain: p65a.wavec0de.ru
- domain: 1now.wavec0de.ru
- domain: 8s.wavec0de.ru
- domain: rqdgj.wavec0de.ru
- domain: 1an.stormm1st.ru
- domain: byb0.stormm1st.ru
- domain: tb.stormm1st.ru
- domain: f9u.stormm1st.ru
- domain: 32w5.softcr5st.ru
- domain: ku9cp.softcr5st.ru
- domain: 0a9bd.softcr5st.ru
- domain: comet.softcr5st.ru
- domain: dark.sunf0rest.ru
- domain: 4v.sunf0rest.ru
- domain: fox.sunf0rest.ru
ThreatFox IOCs for 2025-12-20
Description
ThreatFox IOCs for 2025-12-20
AI-Powered Analysis
Technical Analysis
This entry from the ThreatFox MISP feed dated December 20, 2025, describes a malware-related threat focused on OSINT (Open Source Intelligence), network activity, and payload delivery. However, the data lacks specific indicators of compromise (IOCs), affected product versions, or detailed technical exploit information. The threat is tagged with 'type:osint' and 'tlp:white', indicating it is publicly shareable and related to open-source intelligence gathering or usage. The absence of known exploits in the wild and lack of available patches suggest this is either a newly identified or low-activity threat. The technical details provide a threat level of 2 (on an unspecified scale), analysis rating of 1, and distribution rating of 3, implying moderate distribution but limited analysis depth. The malware classification and network activity tags suggest the threat may involve payload delivery mechanisms possibly used in reconnaissance or initial infection stages. Without concrete IOCs or affected software versions, it is difficult to ascertain the exact attack vectors or targets. This information appears to serve as an early warning or intelligence update rather than a report of active exploitation. The lack of CWE identifiers further limits understanding of the underlying vulnerabilities or weaknesses exploited. Overall, this threat represents a medium-severity informational alert emphasizing the need for continued monitoring and OSINT analysis rather than immediate defensive action.
Potential Impact
Given the limited technical details and absence of known exploits, the immediate impact on European organizations is likely low to medium. The threat's focus on OSINT and network activity suggests it may be used for reconnaissance or as a precursor to more targeted attacks, potentially enabling adversaries to gather intelligence or deliver payloads in later stages. If leveraged effectively, it could compromise confidentiality by exposing sensitive information or facilitate integrity and availability attacks through payload delivery. However, without specific exploitation data or affected systems, the direct operational impact remains uncertain. European organizations relying heavily on network monitoring, threat intelligence platforms, or OSINT tools may experience increased exposure or false positives. The medium severity rating indicates a moderate risk level, warranting vigilance but not immediate alarm. The lack of patches or exploits in the wild reduces urgency but underscores the importance of proactive threat intelligence integration and network defense readiness.
Mitigation Recommendations
1. Enhance OSINT and network monitoring capabilities to detect unusual or suspicious activity related to payload delivery or reconnaissance. 2. Integrate ThreatFox and similar threat intelligence feeds into Security Information and Event Management (SIEM) systems to correlate and analyze emerging indicators once available. 3. Conduct regular threat hunting exercises focusing on network activity anomalies and potential early-stage malware indicators. 4. Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying unknown or emerging malware behaviors. 5. Train security teams on interpreting OSINT-related threat intelligence to improve contextual understanding and response prioritization. 6. Implement strict network segmentation and least privilege access controls to limit potential lateral movement if payload delivery occurs. 7. Prepare incident response plans that include scenarios involving OSINT-driven reconnaissance and payload delivery tactics. 8. Collaborate with information sharing communities to receive timely updates and share findings related to this threat. These measures go beyond generic advice by focusing on proactive intelligence integration, behavioral detection, and organizational preparedness tailored to OSINT and network activity threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 94ddcaea-8fcd-4494-8c4a-6f1e1b348952
- Original Timestamp
- 1766275388
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://107.172.75.201:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://45.131.184.34/bot | Cpuminer payload delivery URL (confidence level: 50%) | |
urlhttp://taymurazwarclavow.space:8080/updater?for=81d1b730207b50bc16231686b723b33f | Unknown malware botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domaincm88.gb.net | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainmx1.sa.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaingiftingbuddy.in.net | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainegestx.ru.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainaref.co.com | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainmuk3av.cr1pptit2n.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhirqat.cr1pptit2n.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvesnug.cr1pptit2n.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainryfkel.cl0udmist.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvilqon.cl0udmist.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhomtaz.cl0udmist.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingepsir.cl0udmist.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainzuv1ak.cl0udmist.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmiprol.datashade.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainserqut.datashade.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainlaxven.datashade.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjorbin.datashade.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintufeck.datashade.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainqidrom.rainpixel.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbesvyl.rainpixel.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainnurqet.rainpixel.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfayl0n.rainpixel.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhomzir.rainpixel.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpelvar.mintbrook.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsulqen.mintbrook.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrovdit.mintbrook.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkimz0r.mintbrook.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjavnek.mintbrook.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindean.it.com | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainxenvop.clearl1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintridam.clearl1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrieege.mx | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainlojqes.clearl1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkarf1x.clearl1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhubrel.clearl1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvemqot.mistysky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsilran.mistysky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpudlex.mistysky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainnorf1m.mistysky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjadwok.mistysky.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintilzor.windc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfeqvan.windc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainxubmel.windc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingarp1s.windc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainasfdavsdgkas-37221.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domaincasinogame.it.com | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domainmovtik.windc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindafryl.stonem1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvimqon.stonem1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintulsac.stonem1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainherp0n.stonem1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjaxvel.stonem1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmuxlin.wavec0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsevqor.wavec0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintalfem.wavec0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrijd0n.wavec0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkobwex.wavec0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainzinrum.darkn0va.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpelqix.darkn0va.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhofdan.darkn0va.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingurs0l.darkn0va.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintavmec.darkn0va.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainvexrum.rockf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindilqat.rockf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainzorpev.rockf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhim3al.rockf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainjaknuf.rockf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmorvex.nightcl0ud.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainzilpun.nightcl0ud.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrecargamos.co.com | AsyncRAT botnet C2 domain (confidence level: 50%) | |
domaindaqrel.nightcl0ud.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfuts0n.nightcl0ud.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkerjub.nightcl0ud.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainctya.windc0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain91de.windc0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainshadow.windc0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainstorm.windc0re.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainapi.vxucqb.dpdns.org | Cobalt Strike botnet C2 domain (confidence level: 75%) | |
domainlink.darkc0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainydmnx.darkc0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainnight.darkc0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainshine.darkc0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingamma.rain5tone.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainlight.rain5tone.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrealtopka-50211.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domainq9b.rain5tone.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincore.rain5tone.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainkpu.nightf0rm.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincloud.nightf0rm.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainnova.nightf0rm.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpine.nightf0rm.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbxo57.stormw1ng.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain68s.stormw1ng.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfl21d.stormw1ng.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainelisauy.ru.com | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainadcn.stormw1ng.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain8c.wavec0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainspark.wavec0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwlvpw.wavec0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingate.wavec0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincrest.datam1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain8x.datam1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaino1h5i.datam1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainclear.datam1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaingma.stonel1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainomega.stonel1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainpixel.stonel1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmist.stonel1nk.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfrost.sunsh1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrange.sunsh1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain0up.sunsh1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainblue.sunsh1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainic.softp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintrace.softp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainplnb3.softp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbite.softp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwind.mistf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainnexus.mistf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbird.mistf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainu6uek.mistf1eld.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsoft.clearb1te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainampz4.clearb1te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrc.clearb1te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain135y.clearb1te.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrain.cloudb1rd.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainuy.cloudb1rd.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainline.cloudb1rd.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsgbvj.cloudb1rd.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain0tmh.frostc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain0ej.frostc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain59l.frostc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain15.frostc0met.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainchx.darkl1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfield.darkl1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbeta.darkl1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain7a19u.darkl1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmk1qq.rainf0x.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainmicp.rainf0x.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainwing.rainf0x.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainn774.rainf0x.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain5bvg1.stormp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainsb.stormp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain3a.stormp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaines4.stormp1ne.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainp65a.wavec0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain1now.wavec0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain8s.wavec0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainrqdgj.wavec0de.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain1an.stormm1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainbyb0.stormm1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaintb.stormm1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainf9u.stormm1st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain32w5.softcr5st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainku9cp.softcr5st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain0a9bd.softcr5st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaincomet.softcr5st.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domaindark.sunf0rest.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domain4v.sunf0rest.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainfox.sunf0rest.ru | ClearFake payload delivery domain (confidence level: 100%) |
File
| Value | Description | Copy |
|---|---|---|
file117.72.220.129 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file38.55.99.179 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file123.60.15.107 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file163.5.149.126 | Remcos botnet C2 server (confidence level: 100%) | |
file165.154.225.249 | Sliver botnet C2 server (confidence level: 100%) | |
file106.15.124.100 | Sliver botnet C2 server (confidence level: 100%) | |
file124.221.196.251 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.158.37.31 | Unknown malware botnet C2 server (confidence level: 100%) | |
file158.94.208.111 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file102.117.173.78 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.232.144.183 | Unknown malware botnet C2 server (confidence level: 100%) | |
file158.94.210.44 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file42.114.43.134 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file209.250.233.184 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file103.177.46.118 | Meterpreter botnet C2 server (confidence level: 100%) | |
file212.11.64.102 | N-W0rm botnet C2 server (confidence level: 100%) | |
file104.248.201.61 | Aisuru botnet C2 server (confidence level: 75%) | |
file134.209.86.116 | Aisuru botnet C2 server (confidence level: 75%) | |
file159.65.197.180 | Aisuru botnet C2 server (confidence level: 75%) | |
file167.172.211.181 | Aisuru botnet C2 server (confidence level: 75%) | |
file164.90.204.137 | Aisuru botnet C2 server (confidence level: 75%) | |
file161.35.84.112 | Aisuru botnet C2 server (confidence level: 75%) | |
file107.174.184.190 | Sliver botnet C2 server (confidence level: 100%) | |
file34.136.96.204 | Unknown malware botnet C2 server (confidence level: 100%) | |
file176.136.159.35 | Venom RAT botnet C2 server (confidence level: 100%) | |
file84.21.173.117 | Venom RAT botnet C2 server (confidence level: 100%) | |
file8.216.41.238 | DCRat botnet C2 server (confidence level: 100%) | |
file103.177.47.75 | Meterpreter botnet C2 server (confidence level: 100%) | |
file103.177.46.41 | Meterpreter botnet C2 server (confidence level: 100%) | |
file112.220.72.117 | Unknown malware botnet C2 server (confidence level: 100%) | |
file13.250.58.122 | Unknown malware botnet C2 server (confidence level: 100%) | |
file107.174.184.190 | Sliver botnet C2 server (confidence level: 75%) | |
file165.154.225.249 | Sliver botnet C2 server (confidence level: 75%) | |
file165.154.225.249 | Sliver botnet C2 server (confidence level: 75%) | |
file54.190.173.10 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file47.115.175.62 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file156.234.251.22 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file162.243.28.13 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file93.127.142.21 | Venom RAT botnet C2 server (confidence level: 100%) | |
file188.25.173.157 | Unknown malware botnet C2 server (confidence level: 100%) | |
file60.246.128.198 | Unknown malware botnet C2 server (confidence level: 100%) | |
file173.177.2.122 | Unknown malware botnet C2 server (confidence level: 100%) | |
file193.183.245.243 | Unknown malware botnet C2 server (confidence level: 100%) | |
file96.48.125.171 | Unknown malware botnet C2 server (confidence level: 100%) | |
file218.164.173.3 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.28.65.230 | Unknown malware botnet C2 server (confidence level: 100%) | |
file113.192.86.111 | Unknown malware botnet C2 server (confidence level: 100%) | |
file101.42.226.223 | Unknown malware botnet C2 server (confidence level: 100%) | |
file65.21.183.44 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.161.165.7 | Unknown malware botnet C2 server (confidence level: 100%) | |
file125.88.238.62 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.77.105.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.77.105.68 | Unknown malware botnet C2 server (confidence level: 100%) | |
file104.129.12.210 | Unknown malware botnet C2 server (confidence level: 100%) | |
file3.122.90.47 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.141.27.250 | XWorm botnet C2 server (confidence level: 100%) | |
file161.248.14.125 | Unknown RAT botnet C2 server (confidence level: 100%) | |
file45.79.216.201 | Unknown malware botnet C2 server (confidence level: 100%) | |
file103.112.99.226 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file154.91.66.131 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file139.159.149.202 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.39.19.53 | Remcos botnet C2 server (confidence level: 100%) | |
file130.162.44.203 | Sliver botnet C2 server (confidence level: 100%) | |
file45.78.196.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file65.108.109.95 | Unknown malware botnet C2 server (confidence level: 100%) | |
file157.15.98.82 | MooBot botnet C2 server (confidence level: 100%) | |
file103.85.226.13 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file98.94.88.131 | Meterpreter botnet C2 server (confidence level: 100%) | |
file54.37.15.75 | Unknown malware botnet C2 server (confidence level: 100%) | |
file104.243.26.92 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file157.20.182.24 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file34.232.172.247 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file36.158.214.147 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file58.221.45.172 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file69.162.101.235 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file75.128.224.65 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file120.24.64.74 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file34.209.232.97 | Empire Downloader botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash5555 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8082 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash9000 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash8000 | Sliver botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash443 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash4782 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash58002 | N-W0rm botnet C2 server (confidence level: 100%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash8001 | Aisuru botnet C2 server (confidence level: 75%) | |
hash443 | Sliver botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4444 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash1080 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash65503 | DCRat botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash8443 | Sliver botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash54909 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash4444 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8443 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash6000 | XWorm botnet C2 server (confidence level: 100%) | |
hash444 | Unknown RAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash8880 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash5000 | Remcos botnet C2 server (confidence level: 100%) | |
hash9999 | Sliver botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash4444 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash51005 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash4443 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash10250 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash10250 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash51854 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash8080 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash63201 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2000 | Empire Downloader botnet C2 server (confidence level: 100%) |
Threat ID: 694739e9db1f51f880b29b9d
Added to database: 12/21/2025, 12:06:01 AM
Last enriched: 12/21/2025, 12:21:29 AM
Last updated: 12/21/2025, 8:46:36 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
MediumU.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware
MediumThreatFox IOCs for 2025-12-19
MediumAttempts to sniff out governmental affairs in Southeast Asia and Japan
MediumCracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.