ThreatFox IOCs for 2026-01-19
ThreatFox IOCs for 2026-01-19
AI Analysis
Technical Summary
The provided information corresponds to a ThreatFox MISP feed update dated January 19, 2026, which shares Indicators of Compromise (IOCs) related to malware, network activity, and payload delivery. This feed is categorized under OSINT (Open Source Intelligence), indicating that it is a collection of threat intelligence data rather than a description of a new vulnerability or exploit. The entry does not specify any affected software versions, nor does it mention any patches or mitigations, implying that it is not tied to a particular product vulnerability but rather to observed malicious activity patterns. The severity is marked as medium, and no known exploits are currently active in the wild based on this data. The technical details include a threat level of 2 (on an unspecified scale), analysis level 1, and distribution level 3, suggesting moderate confidence and distribution of the indicators. The absence of specific CWEs or detailed malware behavior limits the ability to assess the threat's technical mechanisms. This feed is intended for use by cybersecurity teams to update their detection rules and improve situational awareness by incorporating these IOCs into their security monitoring tools. The TLP (Traffic Light Protocol) is white, meaning the information is intended for public sharing without restrictions. Overall, this entry represents a proactive intelligence-sharing effort rather than an immediate, exploitable threat.
Potential Impact
The impact of this threat intelligence update on European organizations depends largely on the relevance and accuracy of the IOCs to ongoing or emerging malicious campaigns. Since no direct exploit or vulnerability is described, the immediate risk is low to medium, primarily affecting detection and response capabilities. Organizations that integrate these IOCs into their security monitoring can potentially identify and mitigate malware infections or network intrusions earlier, reducing potential damage to confidentiality, integrity, and availability. Failure to incorporate such intelligence may result in delayed detection of threats that use similar indicators. The lack of known active exploits suggests that the threat is not currently causing widespread disruption, but the presence of payload delivery and network activity indicators implies a risk of malware infections if adversaries leverage these vectors. European entities with critical infrastructure, financial services, and government sectors stand to benefit most from timely threat intelligence to protect sensitive data and maintain operational continuity.
Mitigation Recommendations
To effectively mitigate risks associated with the IOCs shared in this ThreatFox feed, European organizations should: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to enhance detection capabilities. 2) Regularly update threat intelligence feeds and correlate IOC data with internal logs to identify potential compromises early. 3) Conduct threat hunting exercises using these IOCs to proactively search for signs of malicious activity within networks. 4) Implement network segmentation and strict access controls to limit the spread of malware if detected. 5) Train security analysts to validate and contextualize IOCs to reduce false positives and improve incident response efficiency. 6) Share relevant findings with national and European cybersecurity information sharing organizations to strengthen collective defense. 7) Maintain up-to-date backups and incident response plans to minimize impact in case of successful payload delivery. These steps go beyond generic advice by emphasizing operational integration and collaboration.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- file: 64.89.163.39
- hash: 3778
- url: http://etvidanueva.com/photos/images/webpanel/login.php
- file: 45.93.20.199
- hash: 80
- file: 62.60.226.26
- hash: 80
- file: 69.5.189.243
- hash: 80
- file: 82.147.88.135
- hash: 80
- file: 86.54.25.34
- hash: 80
- file: 91.92.241.227
- hash: 80
- file: 91.92.242.93
- hash: 80
- file: 91.244.70.130
- hash: 80
- file: 103.101.85.56
- hash: 80
- file: 138.124.108.219
- hash: 80
- file: 150.241.65.150
- hash: 80
- file: 176.120.22.55
- hash: 80
- file: 178.16.54.140
- hash: 80
- file: 178.17.62.64
- hash: 80
- file: 185.11.61.208
- hash: 80
- file: 192.30.242.54
- hash: 80
- file: 199.217.99.71
- hash: 80
- file: 77.110.112.91
- hash: 7777
- file: 94.156.170.95
- hash: 80
- file: 196.75.243.26
- hash: 2222
- file: 72.62.169.219
- hash: 1337
- file: 51.79.204.217
- hash: 80
- file: 51.79.204.217
- hash: 443
- url: https://51.79.204.217/
- file: 154.22.5.244
- hash: 9090
- file: 91.92.120.109
- hash: 62020
- file: 130.12.182.194
- hash: 2404
- file: 158.94.210.195
- hash: 8808
- file: 44.222.210.96
- hash: 1311
- file: 44.222.210.96
- hash: 1961
- file: 78.142.18.92
- hash: 9931
- domain: onus.ru.com
- domain: tr88.sa.com
- file: 124.220.102.195
- hash: 8080
- file: 178.249.208.233
- hash: 4433
- url: https://cdn.jsdelivr.net/gh/strict-knoll-interface/ubiquitous-garbanzo/ba5e
- file: 111.229.43.212
- hash: 443
- file: 118.31.168.221
- hash: 80
- file: 104.168.115.90
- hash: 2404
- file: 77.105.136.66
- hash: 9000
- file: 137.220.136.8
- hash: 444
- file: 102.98.80.111
- hash: 443
- file: 54.242.218.17
- hash: 1098
- file: 54.89.88.62
- hash: 50291
- file: 103.177.47.94
- hash: 3790
- file: 38.49.213.155
- hash: 9980
- file: 148.178.119.121
- hash: 443
- file: 148.178.44.29
- hash: 443
- file: 218.255.179.148
- hash: 47105
- file: 34.232.142.15
- hash: 443
- file: 23.226.135.117
- hash: 6554
- domain: ultradatahost1.baby
- domain: visit.bombauthority.website
- domain: appolobase.com
- file: 91.92.242.99
- hash: 2404
- domain: smartprince111111
- file: 176.65.132.225
- hash: 8008
- domain: mythicserver.eastus.cloudapp.azure.com
- file: 18.159.90.56
- hash: 443
- file: 147.93.55.41
- hash: 3333
- domain: fly88.gr.com
- domain: xgpviv.za.com
- file: 45.61.148.43
- hash: 443
- domain: www.resrei.com
- url: https://lom.make-lnk.com/sugqgzlavsjvmmrq
- file: 185.165.169.11
- hash: 9922
- file: 94.120.85.76
- hash: 9696
- file: 206.217.216.8
- hash: 8000
- file: 169.40.135.96
- hash: 8080
- file: 199.101.111.25
- hash: 3790
- domain: qq-88.co.com
- file: 121.127.232.21
- hash: 443
- domain: 10jqka.ec.cc
- file: 156.247.40.112
- hash: 6666
- file: 156.247.40.112
- hash: 8888
- domain: matsau.noip.me
- file: 195.66.214.79
- hash: 443
- file: 45.61.151.64
- hash: 8443
- file: 72.61.6.215
- hash: 7001
- url: https://socketapiupdates.com/kxq5q2ty_tc5x0obdjg2ohd6epotmm7i34pdnyszdld
- file: 204.13.232.123
- hash: 80
- domain: campari.uk.com
- domain: fenixcentr.sa.com
- domain: sweetbonanzaslot.jp.net
- domain: api.fanataxservices.com
- url: https://steamcommunity.com/profiles/76561198747567141
- url: https://telegram.me/skialt3
- url: https://t.me/clepfort
- url: https://49.13.39.105/
- url: https://116.203.0.214/
- url: https://193.221.201.185/
- url: https://138.226.237.204/
- url: https://49.13.38.165/
- url: https://138.226.236.182/
- url: https://116.202.188.70/
- url: https://138.226.237.1/
- url: https://195.201.249.240/
- url: https://49.13.35.238/
- url: https://rer.agfoodpos.com/
- url: https://hoe.agfoodpos.com/
- url: https://res.agfoodpos.com/
- url: https://poc.agfoodpos.com/
- url: https://poc.yago.fun/
- url: https://res.yago.fun/
- url: https://tretor.mobilefoundationrepair.com/
- url: https://onetto.mobilefoundationrepair.com/
- url: https://twettor.mobilefoundationrepair.com/
- domain: rer.agfoodpos.com
- domain: hoe.agfoodpos.com
- domain: res.agfoodpos.com
- domain: poc.agfoodpos.com
- domain: poc.yago.fun
- domain: res.yago.fun
- domain: tretor.mobilefoundationrepair.com
- domain: onetto.mobilefoundationrepair.com
- domain: twettor.mobilefoundationrepair.com
- file: 49.13.39.105
- hash: 443
- file: 116.203.0.214
- hash: 443
- file: 193.221.201.185
- hash: 443
- file: 138.226.237.204
- hash: 443
- file: 49.13.38.165
- hash: 443
- file: 138.226.236.182
- hash: 443
- file: 116.202.188.70
- hash: 443
- file: 138.226.237.1
- hash: 443
- file: 195.201.249.240
- hash: 443
- file: 49.13.35.238
- hash: 443
- url: http://113.30.151.250/panel/
- file: 193.161.193.99
- hash: 35578
- file: 154.12.116.66
- hash: 23110
- file: 5.230.253.188
- hash: 80
- file: 185.163.204.137
- hash: 80
- url: https://t.me/keeper_ideology
- domain: enigma-locket.info
- file: 77.42.83.71
- hash: 80
- file: 45.156.87.154
- hash: 7707
- file: 2.57.19.46
- hash: 411
- domain: kokymrgy.hopto.org
- file: 82.22.23.160
- hash: 4449
- url: https://whooptm.cyou/api
- url: https://westerrd.cyou/api
- url: http://77.42.83.71
- file: 154.36.188.114
- hash: 11788
- file: 154.36.188.114
- hash: 11778
- file: 23.248.212.114
- hash: 433
- file: 23.248.212.114
- hash: 443
- file: 23.248.212.114
- hash: 5222
- file: 47.237.107.28
- hash: 7181
- domain: xnd4x3ezm.localto.net
- domain: cyqahoxnt.localto.net
- domain: utoigzdol.localto.net
- file: 148.178.117.121
- hash: 443
- file: 148.178.118.104
- hash: 443
- file: 148.178.119.99
- hash: 443
- file: 148.178.39.39
- hash: 443
- file: 148.178.52.48
- hash: 443
- file: 148.178.56.52
- hash: 443
- file: 148.178.71.81
- hash: 443
- file: 207.56.204.254
- hash: 443
- file: 207.56.205.62
- hash: 443
- file: 207.56.207.74
- hash: 443
- file: 44.238.171.194
- hash: 443
- file: 47.83.182.237
- hash: 8888
- file: 77.239.124.44
- hash: 8443
- file: 95.9.236.229
- hash: 2003
- url: https://cdn.jsdelivr.net/gh/ws40-delta-xchg-fab8/unity-dedicated-server33/ws-code-sync
- file: 155.117.155.45
- hash: 80
- file: 120.46.3.183
- hash: 443
- file: 128.90.122.67
- hash: 2404
- file: 46.4.224.208
- hash: 2404
- file: 45.83.31.84
- hash: 8080
- file: 95.9.236.229
- hash: 2000
- file: 89.110.107.177
- hash: 9000
- file: 1.54.115.86
- hash: 443
- file: 217.217.255.48
- hash: 8080
- file: 34.30.77.194
- hash: 80
- url: https://touchkasablanka.com/logout/profile-core.php
- domain: touchkasablanka.com
- url: https://touchkasablanka.com/logout/user-effect.js
- url: http://79.141.163.155/summit
- url: https://sammremix.com/summit
- url: https://79.141.163.155/tech
- url: http://a1219978.xsph.ru/1c268c1c.php
- domain: whooptm.cyou
- domain: westerrd.cyou
- domain: www.wiklpedia.net
- file: 85.121.148.24
- hash: 443
- url: https://cdn.jsdelivr.net/gh/ws40-delta-xchg-fab8/unity-dedicated-server33/physics
- file: 47.86.60.178
- hash: 443
- file: 89.223.95.83
- hash: 8888
- file: 94.154.35.73
- hash: 7707
- file: 152.67.103.55
- hash: 3333
- file: 34.246.190.48
- hash: 3333
- file: 159.223.172.168
- hash: 3333
- file: 144.24.156.118
- hash: 3333
- file: 206.172.45.10
- hash: 443
- file: 204.216.140.71
- hash: 3333
- file: 143.47.190.197
- hash: 443
ThreatFox IOCs for 2026-01-19
Description
ThreatFox IOCs for 2026-01-19
AI-Powered Analysis
Technical Analysis
The provided information corresponds to a ThreatFox MISP feed update dated January 19, 2026, which shares Indicators of Compromise (IOCs) related to malware, network activity, and payload delivery. This feed is categorized under OSINT (Open Source Intelligence), indicating that it is a collection of threat intelligence data rather than a description of a new vulnerability or exploit. The entry does not specify any affected software versions, nor does it mention any patches or mitigations, implying that it is not tied to a particular product vulnerability but rather to observed malicious activity patterns. The severity is marked as medium, and no known exploits are currently active in the wild based on this data. The technical details include a threat level of 2 (on an unspecified scale), analysis level 1, and distribution level 3, suggesting moderate confidence and distribution of the indicators. The absence of specific CWEs or detailed malware behavior limits the ability to assess the threat's technical mechanisms. This feed is intended for use by cybersecurity teams to update their detection rules and improve situational awareness by incorporating these IOCs into their security monitoring tools. The TLP (Traffic Light Protocol) is white, meaning the information is intended for public sharing without restrictions. Overall, this entry represents a proactive intelligence-sharing effort rather than an immediate, exploitable threat.
Potential Impact
The impact of this threat intelligence update on European organizations depends largely on the relevance and accuracy of the IOCs to ongoing or emerging malicious campaigns. Since no direct exploit or vulnerability is described, the immediate risk is low to medium, primarily affecting detection and response capabilities. Organizations that integrate these IOCs into their security monitoring can potentially identify and mitigate malware infections or network intrusions earlier, reducing potential damage to confidentiality, integrity, and availability. Failure to incorporate such intelligence may result in delayed detection of threats that use similar indicators. The lack of known active exploits suggests that the threat is not currently causing widespread disruption, but the presence of payload delivery and network activity indicators implies a risk of malware infections if adversaries leverage these vectors. European entities with critical infrastructure, financial services, and government sectors stand to benefit most from timely threat intelligence to protect sensitive data and maintain operational continuity.
Mitigation Recommendations
To effectively mitigate risks associated with the IOCs shared in this ThreatFox feed, European organizations should: 1) Integrate the provided IOCs into existing Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) tools to enhance detection capabilities. 2) Regularly update threat intelligence feeds and correlate IOC data with internal logs to identify potential compromises early. 3) Conduct threat hunting exercises using these IOCs to proactively search for signs of malicious activity within networks. 4) Implement network segmentation and strict access controls to limit the spread of malware if detected. 5) Train security analysts to validate and contextualize IOCs to reduce false positives and improve incident response efficiency. 6) Share relevant findings with national and European cybersecurity information sharing organizations to strengthen collective defense. 7) Maintain up-to-date backups and incident response plans to minimize impact in case of successful payload delivery. These steps go beyond generic advice by emphasizing operational integration and collaboration.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- df0317fb-f241-490c-9c38-d1d210d6528a
- Original Timestamp
- 1768867387
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file64.89.163.39 | Mirai botnet C2 server (confidence level: 80%) | |
file45.93.20.199 | Stealc botnet C2 server (confidence level: 75%) | |
file62.60.226.26 | Stealc botnet C2 server (confidence level: 75%) | |
file69.5.189.243 | Stealc botnet C2 server (confidence level: 75%) | |
file82.147.88.135 | Stealc botnet C2 server (confidence level: 75%) | |
file86.54.25.34 | Stealc botnet C2 server (confidence level: 75%) | |
file91.92.241.227 | Stealc botnet C2 server (confidence level: 75%) | |
file91.92.242.93 | Stealc botnet C2 server (confidence level: 75%) | |
file91.244.70.130 | Stealc botnet C2 server (confidence level: 75%) | |
file103.101.85.56 | Stealc botnet C2 server (confidence level: 75%) | |
file138.124.108.219 | Stealc botnet C2 server (confidence level: 75%) | |
file150.241.65.150 | Stealc botnet C2 server (confidence level: 75%) | |
file176.120.22.55 | Stealc botnet C2 server (confidence level: 75%) | |
file178.16.54.140 | Stealc botnet C2 server (confidence level: 75%) | |
file178.17.62.64 | Stealc botnet C2 server (confidence level: 75%) | |
file185.11.61.208 | Stealc botnet C2 server (confidence level: 75%) | |
file192.30.242.54 | Stealc botnet C2 server (confidence level: 75%) | |
file199.217.99.71 | Stealc botnet C2 server (confidence level: 75%) | |
file77.110.112.91 | DCRat botnet C2 server (confidence level: 100%) | |
file94.156.170.95 | Bashlite botnet C2 server (confidence level: 100%) | |
file196.75.243.26 | Meterpreter botnet C2 server (confidence level: 100%) | |
file72.62.169.219 | Empire Downloader botnet C2 server (confidence level: 100%) | |
file51.79.204.217 | Unknown malware botnet C2 server (confidence level: 100%) | |
file51.79.204.217 | Unknown malware botnet C2 server (confidence level: 100%) | |
file154.22.5.244 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file91.92.120.109 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file130.12.182.194 | Remcos botnet C2 server (confidence level: 100%) | |
file158.94.210.195 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file44.222.210.96 | Meterpreter botnet C2 server (confidence level: 100%) | |
file44.222.210.96 | Meterpreter botnet C2 server (confidence level: 100%) | |
file78.142.18.92 | Mirai botnet C2 server (confidence level: 80%) | |
file124.220.102.195 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file178.249.208.233 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file111.229.43.212 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file118.31.168.221 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file104.168.115.90 | Remcos botnet C2 server (confidence level: 100%) | |
file77.105.136.66 | SectopRAT botnet C2 server (confidence level: 100%) | |
file137.220.136.8 | Unknown RAT botnet C2 server (confidence level: 100%) | |
file102.98.80.111 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file54.242.218.17 | Meterpreter botnet C2 server (confidence level: 100%) | |
file54.89.88.62 | Meterpreter botnet C2 server (confidence level: 100%) | |
file103.177.47.94 | Meterpreter botnet C2 server (confidence level: 100%) | |
file38.49.213.155 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file148.178.119.121 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.44.29 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file218.255.179.148 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file34.232.142.15 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file23.226.135.117 | VShell botnet C2 server (confidence level: 100%) | |
file91.92.242.99 | Remcos botnet C2 server (confidence level: 100%) | |
file176.65.132.225 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file18.159.90.56 | Unknown malware botnet C2 server (confidence level: 100%) | |
file147.93.55.41 | Unknown malware botnet C2 server (confidence level: 100%) | |
file45.61.148.43 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file185.165.169.11 | XWorm botnet C2 server (confidence level: 100%) | |
file94.120.85.76 | XWorm botnet C2 server (confidence level: 100%) | |
file206.217.216.8 | Sliver botnet C2 server (confidence level: 100%) | |
file169.40.135.96 | DCRat botnet C2 server (confidence level: 100%) | |
file199.101.111.25 | Meterpreter botnet C2 server (confidence level: 100%) | |
file121.127.232.21 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file156.247.40.112 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file156.247.40.112 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file195.66.214.79 | Meterpreter botnet C2 server (confidence level: 75%) | |
file45.61.151.64 | Meterpreter botnet C2 server (confidence level: 75%) | |
file72.61.6.215 | Meterpreter botnet C2 server (confidence level: 75%) | |
file204.13.232.123 | Stealc botnet C2 server (confidence level: 100%) | |
file49.13.39.105 | Vidar botnet C2 server (confidence level: 100%) | |
file116.203.0.214 | Vidar botnet C2 server (confidence level: 100%) | |
file193.221.201.185 | Vidar botnet C2 server (confidence level: 100%) | |
file138.226.237.204 | Vidar botnet C2 server (confidence level: 100%) | |
file49.13.38.165 | Vidar botnet C2 server (confidence level: 100%) | |
file138.226.236.182 | Vidar botnet C2 server (confidence level: 100%) | |
file116.202.188.70 | Vidar botnet C2 server (confidence level: 100%) | |
file138.226.237.1 | Vidar botnet C2 server (confidence level: 100%) | |
file195.201.249.240 | Vidar botnet C2 server (confidence level: 100%) | |
file49.13.35.238 | Vidar botnet C2 server (confidence level: 100%) | |
file193.161.193.99 | NjRAT botnet C2 server (confidence level: 100%) | |
file154.12.116.66 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
file5.230.253.188 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file185.163.204.137 | Venom RAT botnet C2 server (confidence level: 100%) | |
file77.42.83.71 | Stealc botnet C2 server (confidence level: 100%) | |
file45.156.87.154 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file2.57.19.46 | XWorm botnet C2 server (confidence level: 100%) | |
file82.22.23.160 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file154.36.188.114 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file154.36.188.114 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file23.248.212.114 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file23.248.212.114 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file23.248.212.114 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file47.237.107.28 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file148.178.117.121 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.118.104 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.119.99 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.39.39 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.52.48 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.56.52 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file148.178.71.81 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file207.56.204.254 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file207.56.205.62 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file207.56.207.74 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file44.238.171.194 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file47.83.182.237 | Sliver botnet C2 server (confidence level: 75%) | |
file77.239.124.44 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file95.9.236.229 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file155.117.155.45 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file120.46.3.183 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file128.90.122.67 | Remcos botnet C2 server (confidence level: 100%) | |
file46.4.224.208 | Remcos botnet C2 server (confidence level: 100%) | |
file45.83.31.84 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file95.9.236.229 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file89.110.107.177 | SectopRAT botnet C2 server (confidence level: 100%) | |
file1.54.115.86 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file217.217.255.48 | Chaos botnet C2 server (confidence level: 100%) | |
file34.30.77.194 | Empire Downloader botnet C2 server (confidence level: 100%) | |
file85.121.148.24 | VShell botnet C2 server (confidence level: 100%) | |
file47.86.60.178 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file89.223.95.83 | Unknown malware botnet C2 server (confidence level: 100%) | |
file94.154.35.73 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file152.67.103.55 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.246.190.48 | Unknown malware botnet C2 server (confidence level: 100%) | |
file159.223.172.168 | Unknown malware botnet C2 server (confidence level: 100%) | |
file144.24.156.118 | Unknown malware botnet C2 server (confidence level: 100%) | |
file206.172.45.10 | Unknown malware botnet C2 server (confidence level: 100%) | |
file204.216.140.71 | Unknown malware botnet C2 server (confidence level: 100%) | |
file143.47.190.197 | Octopus botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash3778 | Mirai botnet C2 server (confidence level: 80%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 75%) | |
hash7777 | DCRat botnet C2 server (confidence level: 100%) | |
hash80 | Bashlite botnet C2 server (confidence level: 100%) | |
hash2222 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1337 | Empire Downloader botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash9090 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash62020 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash1311 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1961 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash9931 | Mirai botnet C2 server (confidence level: 80%) | |
hash8080 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash4433 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash444 | Unknown RAT botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash1098 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash50291 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash9980 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash47105 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash6554 | VShell botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8008 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash9922 | XWorm botnet C2 server (confidence level: 100%) | |
hash9696 | XWorm botnet C2 server (confidence level: 100%) | |
hash8000 | Sliver botnet C2 server (confidence level: 100%) | |
hash8080 | DCRat botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash6666 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash8888 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash8443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash7001 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash35578 | NjRAT botnet C2 server (confidence level: 100%) | |
hash23110 | PureLogs Stealer botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash411 | XWorm botnet C2 server (confidence level: 100%) | |
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash11788 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash11778 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash433 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash5222 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash7181 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash8443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash2003 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8080 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash2000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash443 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8080 | Chaos botnet C2 server (confidence level: 100%) | |
hash80 | Empire Downloader botnet C2 server (confidence level: 100%) | |
hash443 | VShell botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7707 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Octopus botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://etvidanueva.com/photos/images/webpanel/login.php | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://51.79.204.217/ | Unknown malware payload delivery URL (confidence level: 90%) | |
urlhttps://cdn.jsdelivr.net/gh/strict-knoll-interface/ubiquitous-garbanzo/ba5e | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://lom.make-lnk.com/sugqgzlavsjvmmrq | Unknown malware payload delivery URL (confidence level: 90%) | |
urlhttps://socketapiupdates.com/kxq5q2ty_tc5x0obdjg2ohd6epotmm7i34pdnyszdld | FAKEUPDATES payload delivery URL (confidence level: 100%) | |
urlhttps://steamcommunity.com/profiles/76561198747567141 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://telegram.me/skialt3 | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://t.me/clepfort | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.39.105/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://116.203.0.214/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://193.221.201.185/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://138.226.237.204/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.38.165/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://138.226.236.182/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://116.202.188.70/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://138.226.237.1/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://195.201.249.240/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.35.238/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://rer.agfoodpos.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://hoe.agfoodpos.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://res.agfoodpos.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://poc.agfoodpos.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://poc.yago.fun/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://res.yago.fun/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://tretor.mobilefoundationrepair.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://onetto.mobilefoundationrepair.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://twettor.mobilefoundationrepair.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttp://113.30.151.250/panel/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://t.me/keeper_ideology | SantaStealer botnet C2 (confidence level: 100%) | |
urlhttps://whooptm.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttps://westerrd.cyou/api | Lumma Stealer botnet C2 (confidence level: 100%) | |
urlhttp://77.42.83.71 | Stealc botnet C2 (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/ws40-delta-xchg-fab8/unity-dedicated-server33/ws-code-sync | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://touchkasablanka.com/logout/profile-core.php | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://touchkasablanka.com/logout/user-effect.js | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttp://79.141.163.155/summit | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://sammremix.com/summit | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttps://79.141.163.155/tech | NetSupportManager RAT payload delivery URL (confidence level: 100%) | |
urlhttp://a1219978.xsph.ru/1c268c1c.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/ws40-delta-xchg-fab8/unity-dedicated-server33/physics | ClearFake payload delivery URL (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainonus.ru.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domaintr88.sa.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainultradatahost1.baby | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainvisit.bombauthority.website | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainappolobase.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainsmartprince111111 | Remcos botnet C2 domain (confidence level: 75%) | |
domainmythicserver.eastus.cloudapp.azure.com | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainfly88.gr.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainxgpviv.za.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainwww.resrei.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainqq-88.co.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domain10jqka.ec.cc | ValleyRAT botnet C2 domain (confidence level: 100%) | |
domainmatsau.noip.me | CyberGate botnet C2 domain (confidence level: 100%) | |
domaincampari.uk.com | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainfenixcentr.sa.com | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainsweetbonanzaslot.jp.net | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainapi.fanataxservices.com | FAKEUPDATES botnet C2 domain (confidence level: 100%) | |
domainrer.agfoodpos.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainhoe.agfoodpos.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainres.agfoodpos.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainpoc.agfoodpos.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainpoc.yago.fun | Vidar botnet C2 domain (confidence level: 100%) | |
domainres.yago.fun | Vidar botnet C2 domain (confidence level: 100%) | |
domaintretor.mobilefoundationrepair.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainonetto.mobilefoundationrepair.com | Vidar botnet C2 domain (confidence level: 100%) | |
domaintwettor.mobilefoundationrepair.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainenigma-locket.info | SantaStealer botnet C2 domain (confidence level: 100%) | |
domainkokymrgy.hopto.org | XWorm botnet C2 domain (confidence level: 100%) | |
domainxnd4x3ezm.localto.net | SpyNote botnet C2 domain (confidence level: 100%) | |
domaincyqahoxnt.localto.net | SpyNote botnet C2 domain (confidence level: 100%) | |
domainutoigzdol.localto.net | SpyNote botnet C2 domain (confidence level: 100%) | |
domaintouchkasablanka.com | NetSupportManager RAT payload delivery domain (confidence level: 100%) | |
domainwhooptm.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwesterrd.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainwww.wiklpedia.net | VShell botnet C2 domain (confidence level: 100%) |
Threat ID: 696eca324623b1157cd58ea8
Added to database: 1/20/2026, 12:20:02 AM
Last enriched: 1/20/2026, 12:20:13 AM
Last updated: 1/20/2026, 6:13:26 PM
Views: 252
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
MediumFrom Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
MediumOperation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
MediumKRVTZ IDS alerts for 2026-01-20
LowKRVTZ IDS alerts for 2026-01-19
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.