ThreatFox IOCs for 2026-01-29
ThreatFox IOCs for 2026-01-29
AI Analysis
Technical Summary
This threat entry from the ThreatFox MISP feed dated January 29, 2026, provides a collection of Indicators of Compromise (IOCs) related to malware activities categorized under OSINT, network activity, and payload delivery. The data does not specify affected software versions or known exploits in the wild, and no patches are available, indicating either a newly identified or low-profile threat. The threat level is rated as 2 on an unspecified scale, with a medium severity classification. The absence of concrete technical details or specific malware families limits the ability to perform deep technical analysis. The threat appears to be focused on reconnaissance and delivery stages of an attack lifecycle, potentially involving network-based payload delivery mechanisms. The lack of known exploits and patch availability suggests this may be an emerging threat or one primarily identified through threat intelligence sharing rather than active exploitation. The indicators are tagged as TLP:white, meaning they are intended for broad sharing, which supports the notion of early-stage or informational threat data. Overall, this represents a moderate risk that requires monitoring and integration into security operations for early detection and response.
Potential Impact
For European organizations, the impact of this threat is currently moderate due to the absence of active exploits and specific targeted vulnerabilities. However, the focus on network activity and payload delivery implies potential risks to network infrastructure and endpoint security if the malware is deployed successfully. Organizations relying heavily on networked services and digital communications could face disruptions or data compromise if these IOCs correspond to active campaigns. The lack of patches means that if exploitation vectors are discovered, remediation might be delayed, increasing exposure. The threat could also contribute to broader cyber espionage or data exfiltration efforts, especially in sectors with sensitive information such as finance, government, and critical infrastructure. The medium severity suggests that while immediate widespread damage is unlikely, the threat should not be ignored, particularly in environments with complex network architectures and high-value assets.
Mitigation Recommendations
1. Integrate the provided IOCs into existing threat intelligence platforms and security information and event management (SIEM) systems to enhance detection capabilities. 2. Conduct network traffic analysis focusing on unusual payload delivery patterns or connections to suspicious domains or IPs associated with the IOCs. 3. Strengthen endpoint detection and response (EDR) tools to identify and quarantine potential malware payloads early in the attack chain. 4. Implement strict network segmentation to limit lateral movement if payload delivery occurs. 5. Maintain up-to-date backups and incident response plans tailored to malware infections involving network-based delivery. 6. Engage in active threat hunting exercises using the IOCs to identify potential compromises proactively. 7. Collaborate with national and European cybersecurity centers to share findings and receive updated intelligence. 8. Educate security teams on recognizing early signs of network-based payload delivery and OSINT-related reconnaissance activities. These steps go beyond generic advice by focusing on operationalizing the specific intelligence and enhancing detection and containment capabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
Indicators of Compromise
- file: 81.94.151.189
- hash: 1312
- file: 45.93.20.205
- hash: 80
- file: 138.226.236.254
- hash: 80
- url: https://34ten.com/
- file: 112.213.110.180
- hash: 9090
- file: 72.60.30.120
- hash: 8090
- file: 194.59.31.64
- hash: 8727
- file: 93.198.186.62
- hash: 81
- file: 83.136.251.141
- hash: 8000
- file: 52.51.175.248
- hash: 2082
- url: https://cdn.jsdelivr.net/gh/relight-73-unsigned/tk-hz-ctrl/ypfcbjy5exc2pzs4bc7j
- file: 38.60.214.166
- hash: 4443
- file: 124.221.65.130
- hash: 80
- file: 109.248.151.109
- hash: 2404
- file: 158.94.210.95
- hash: 8808
- file: 185.11.61.237
- hash: 9000
- file: 37.148.133.242
- hash: 443
- file: 146.235.38.234
- hash: 5038
- file: 144.24.139.70
- hash: 5038
- file: 103.106.229.177
- hash: 5038
- file: 140.238.207.208
- hash: 5038
- file: 167.86.153.197
- hash: 443
- file: 93.198.186.62
- hash: 82
- file: 45.129.9.25
- hash: 4444
- url: http://144.172.106.251/
- domain: th3hunt3r-53504.portmap.host
- file: 33.53.50.4
- hash: 4449
- file: 33.53.50.4
- hash: 25340
- file: 33.53.50.4
- hash: 53504
- url: https://cdn.jsdelivr.net/gh/grading-chatter-dock73/super-docs-web3/sdf
- file: 185.222.58.48
- hash: 55615
- file: 23.235.179.117
- hash: 34781
- file: 216.126.239.50
- hash: 80
- file: 216.126.239.50
- hash: 443
- file: 63.176.129.242
- hash: 80
- file: 51.178.11.179
- hash: 2487
- file: 3.137.149.24
- hash: 443
- file: 193.233.113.81
- hash: 8080
- file: 129.151.142.36
- hash: 5038
- file: 138.2.16.164
- hash: 5038
- file: 83.136.249.143
- hash: 8000
- file: 34.123.90.49
- hash: 8082
- url: https://cdn.jsdelivr.net/gh/grading-chatter-dock73/super-docs-web3/forward
- file: 125.25.56.12
- hash: 7443
- file: 54.153.244.254
- hash: 443
- file: 74.48.214.25
- hash: 443
- file: 8.219.240.66
- hash: 10230
- file: 123.207.50.225
- hash: 9002
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/eth
- file: 213.152.162.89
- hash: 5580
- file: 213.152.162.170
- hash: 5580
- file: 84.54.37.191
- hash: 7080
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/cvx
- url: https://tor.cloudvaly.com/
- url: https://tor.beznervov.com/
- url: https://pov.cloudvaly.com/
- url: https://pov.beznervov.com/
- url: https://bek.cloudvaly.com/
- url: https://bek.beznervov.com/
- url: https://49.13.124.144/
- url: https://49.13.33.221/
- url: https://135.181.14.70/
- url: https://37.27.63.113/
- url: https://95.217.227.187/
- url: https://178.17.59.34/
- domain: bek.cloudvaly.com
- domain: bek.beznervov.com
- domain: pov.cloudvaly.com
- domain: pov.beznervov.com
- domain: tor.cloudvaly.com
- domain: tor.beznervov.com
- file: 49.13.124.144
- hash: 443
- file: 49.13.33.221
- hash: 443
- file: 135.181.14.70
- hash: 443
- file: 37.27.63.113
- hash: 443
- file: 95.217.227.187
- hash: 443
- file: 178.17.59.34
- hash: 443
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/var
- domain: midlandaudio.com
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/zec
- domain: kakapupuneww.com
- file: 91.215.85.119
- hash: 9999
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/bra
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/hex
- file: 193.161.193.99
- hash: 42479
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/tor
- file: 194.87.198.205
- hash: 80
- file: 8.148.251.204
- hash: 443
- url: http://cb042722.tw1.ru/b4e69250.php
- domain: evil.azuretest.fr
- domain: rousedonkibure.us
- file: 146.103.40.249
- hash: 8000
- file: 45.155.173.119
- hash: 8443
- file: 159.198.37.223
- hash: 8080
- file: 54.90.55.61
- hash: 443
- file: 80.211.130.251
- hash: 3333
- file: 34.233.15.237
- hash: 443
- file: 178.156.234.79
- hash: 8443
- file: 194.150.220.63
- hash: 2083
- file: 194.150.220.63
- hash: 8443
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/das
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/zr0
- file: 43.156.27.192
- hash: 80
- file: 206.238.70.42
- hash: 80
- domain: boosterman22q1-42479.portmap.host
- domain: egornigga-61525.portmap.host
- domain: hebasix.duckdns.org
- file: 45.150.128.141
- hash: 7000
- domain: boosterman22q1-33740.portmap.host
- file: 192.3.136.235
- hash: 5070
- file: 20.206.201.190
- hash: 2404
- file: 194.68.225.168
- hash: 80
- file: 47.109.78.104
- hash: 8080
- file: 172.104.188.247
- hash: 9999
- file: 91.108.244.139
- hash: 443
- domain: dohinukss.localto.net
- domain: luvxcide.duckdns.org
- file: 104.248.130.195
- hash: 7492
- domain: license.eu.com
- domain: nog.jp.net
- domain: vyy.uk.com
- url: https://menopjc.cyou/api
- url: https://stathas.cyou/api
- url: https://interrg.cyou/api
- domain: interrg.cyou
- domain: aliengp.cyou
- domain: vetchir.cyou
- domain: menopjc.cyou
- domain: stathas.cyou
- domain: odovakmc.cyou
- domain: mummifjn.cyou
- domain: offseti.cyou
- domain: genussy.cyou
- domain: studfdu.cyou
- domain: unmindv.cyou
- file: 156.234.218.171
- hash: 24704
- file: 47.101.152.28
- hash: 80
- file: 124.198.131.201
- hash: 8888
- file: 185.208.159.173
- hash: 2404
- file: 45.83.31.246
- hash: 5000
- file: 107.172.31.102
- hash: 4465
- file: 81.17.99.174
- hash: 443
- file: 185.11.61.241
- hash: 7777
- file: 20.106.187.78
- hash: 443
- file: 196.75.172.144
- hash: 2222
- file: 13.245.75.48
- hash: 53744
- file: 103.177.47.176
- hash: 3790
- file: 151.64.17.150
- hash: 8080
- file: 207.189.164.112
- hash: 9999
- domain: tdrdomainnew.com
- url: https://cdn.jsdelivr.net/gh/web3call/ws014/st85
- domain: ofofoalalaladjrkrka.com
- domain: foamfasfkkfkfkfa.com
- domain: cansti.in.net
- domain: handsonatwork.co.uk
- file: 94.26.90.170
- hash: 443
- file: 194.62.55.143
- hash: 1604
- domain: 337788bet.site
- domain: kd62.casino
- domain: taxnearme.com
- domain: clearwaterfishingcompany.com
- domain: hobefork.com
- domain: communications.it.com
- domain: fb888.uk.com
- domain: octazo.gb.net
- domain: rentals-hidden.gl.at.ply.gg
- file: 46.137.227.63
- hash: 9696
- file: 13.201.84.62
- hash: 6666
- file: 138.199.38.132
- hash: 53284
- domain: www.355bet.com.br
- file: 47.74.57.14
- hash: 8080
- domain: stobminipinporl.com
- url: http://evervisionicd.com/xquat/fre.php
- url: https://stobminipinporl.com/api/bot/heartbeat
- file: 115.187.17.138
- hash: 443
- file: 209.145.63.3
- hash: 33330
- file: 45.88.186.45
- hash: 1000
- file: 52.223.52.219
- hash: 443
- file: 54.73.77.160
- hash: 443
- domain: njtankservices.com
- domain: laderbaj.net
- domain: gosemobi.com
- domain: bargeshipping.com
- file: 192.241.120.160
- hash: 2176
- file: 190.144.146.90
- hash: 2205
- file: 103.136.249.49
- hash: 31333
- file: 45.156.87.160
- hash: 8808
- file: 56.112.53.44
- hash: 35458
- file: 13.212.200.168
- hash: 37892
- domain: wydannc6.v0xenharvest.ru
- domain: hqej69yf.v0xenharvest.ru
- domain: arsenmarkaruyn.com
- domain: cotlesgengeral.com
- domain: mini-zmoto.com
- url: https://aliengp.cyou/api
- url: http://158.94.211.84
- url: http://45.93.20.205
- file: 192.109.200.95
- hash: 8443
- domain: captolls.com
- url: http://45.93.20.205/ce11694fbb78411c.php
- domain: vitoboy.com
- file: 64.89.163.60
- hash: 443
- file: 156.234.254.139
- hash: 24704
- file: 109.205.180.199
- hash: 7443
- file: 185.208.156.179
- hash: 4444
- file: 197.134.65.5
- hash: 8080
- file: 217.216.32.194
- hash: 8888
- file: 5.59.248.53
- hash: 80
- file: 172.236.98.73
- hash: 60000
- file: 9.141.179.31
- hash: 3333
- file: 185.43.6.40
- hash: 443
- file: 52.57.28.240
- hash: 80
- file: 114.116.248.166
- hash: 3333
ThreatFox IOCs for 2026-01-29
Description
ThreatFox IOCs for 2026-01-29
AI-Powered Analysis
Technical Analysis
This threat entry from the ThreatFox MISP feed dated January 29, 2026, provides a collection of Indicators of Compromise (IOCs) related to malware activities categorized under OSINT, network activity, and payload delivery. The data does not specify affected software versions or known exploits in the wild, and no patches are available, indicating either a newly identified or low-profile threat. The threat level is rated as 2 on an unspecified scale, with a medium severity classification. The absence of concrete technical details or specific malware families limits the ability to perform deep technical analysis. The threat appears to be focused on reconnaissance and delivery stages of an attack lifecycle, potentially involving network-based payload delivery mechanisms. The lack of known exploits and patch availability suggests this may be an emerging threat or one primarily identified through threat intelligence sharing rather than active exploitation. The indicators are tagged as TLP:white, meaning they are intended for broad sharing, which supports the notion of early-stage or informational threat data. Overall, this represents a moderate risk that requires monitoring and integration into security operations for early detection and response.
Potential Impact
For European organizations, the impact of this threat is currently moderate due to the absence of active exploits and specific targeted vulnerabilities. However, the focus on network activity and payload delivery implies potential risks to network infrastructure and endpoint security if the malware is deployed successfully. Organizations relying heavily on networked services and digital communications could face disruptions or data compromise if these IOCs correspond to active campaigns. The lack of patches means that if exploitation vectors are discovered, remediation might be delayed, increasing exposure. The threat could also contribute to broader cyber espionage or data exfiltration efforts, especially in sectors with sensitive information such as finance, government, and critical infrastructure. The medium severity suggests that while immediate widespread damage is unlikely, the threat should not be ignored, particularly in environments with complex network architectures and high-value assets.
Mitigation Recommendations
1. Integrate the provided IOCs into existing threat intelligence platforms and security information and event management (SIEM) systems to enhance detection capabilities. 2. Conduct network traffic analysis focusing on unusual payload delivery patterns or connections to suspicious domains or IPs associated with the IOCs. 3. Strengthen endpoint detection and response (EDR) tools to identify and quarantine potential malware payloads early in the attack chain. 4. Implement strict network segmentation to limit lateral movement if payload delivery occurs. 5. Maintain up-to-date backups and incident response plans tailored to malware infections involving network-based delivery. 6. Engage in active threat hunting exercises using the IOCs to identify potential compromises proactively. 7. Collaborate with national and European cybersecurity centers to share findings and receive updated intelligence. 8. Educate security teams on recognizing early signs of network-based payload delivery and OSINT-related reconnaissance activities. These steps go beyond generic advice by focusing on operationalizing the specific intelligence and enhancing detection and containment capabilities.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- ed7cdd9c-f335-40e1-ae41-f39c2c096530
- Original Timestamp
- 1769731387
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file81.94.151.189 | Mirai botnet C2 server (confidence level: 80%) | |
file45.93.20.205 | Stealc botnet C2 server (confidence level: 100%) | |
file138.226.236.254 | Stealc botnet C2 server (confidence level: 100%) | |
file112.213.110.180 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file72.60.30.120 | Sliver botnet C2 server (confidence level: 100%) | |
file194.59.31.64 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file93.198.186.62 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file83.136.251.141 | MimiKatz botnet C2 server (confidence level: 100%) | |
file52.51.175.248 | Meterpreter botnet C2 server (confidence level: 100%) | |
file38.60.214.166 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file124.221.65.130 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file109.248.151.109 | Remcos botnet C2 server (confidence level: 100%) | |
file158.94.210.95 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.11.61.237 | SectopRAT botnet C2 server (confidence level: 100%) | |
file37.148.133.242 | Unknown malware botnet C2 server (confidence level: 100%) | |
file146.235.38.234 | DCRat botnet C2 server (confidence level: 100%) | |
file144.24.139.70 | DCRat botnet C2 server (confidence level: 100%) | |
file103.106.229.177 | DCRat botnet C2 server (confidence level: 100%) | |
file140.238.207.208 | DCRat botnet C2 server (confidence level: 100%) | |
file167.86.153.197 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file93.198.186.62 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
file45.129.9.25 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file33.53.50.4 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file33.53.50.4 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file33.53.50.4 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.222.58.48 | RedLine Stealer botnet C2 server (confidence level: 75%) | |
file23.235.179.117 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file216.126.239.50 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file216.126.239.50 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file63.176.129.242 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file51.178.11.179 | Remcos botnet C2 server (confidence level: 100%) | |
file3.137.149.24 | Havoc botnet C2 server (confidence level: 100%) | |
file193.233.113.81 | Venom RAT botnet C2 server (confidence level: 100%) | |
file129.151.142.36 | DCRat botnet C2 server (confidence level: 100%) | |
file138.2.16.164 | DCRat botnet C2 server (confidence level: 100%) | |
file83.136.249.143 | MimiKatz botnet C2 server (confidence level: 100%) | |
file34.123.90.49 | Empire Downloader botnet C2 server (confidence level: 100%) | |
file125.25.56.12 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
file54.153.244.254 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file74.48.214.25 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file8.219.240.66 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file123.207.50.225 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
file213.152.162.89 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
file213.152.162.170 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
file84.54.37.191 | Bashlite botnet C2 server (confidence level: 75%) | |
file49.13.124.144 | Vidar botnet C2 server (confidence level: 100%) | |
file49.13.33.221 | Vidar botnet C2 server (confidence level: 100%) | |
file135.181.14.70 | Vidar botnet C2 server (confidence level: 100%) | |
file37.27.63.113 | Vidar botnet C2 server (confidence level: 100%) | |
file95.217.227.187 | Vidar botnet C2 server (confidence level: 100%) | |
file178.17.59.34 | Vidar botnet C2 server (confidence level: 100%) | |
file91.215.85.119 | CastleRAT botnet C2 server (confidence level: 75%) | |
file193.161.193.99 | NjRAT botnet C2 server (confidence level: 100%) | |
file194.87.198.205 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file8.148.251.204 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file146.103.40.249 | Havoc botnet C2 server (confidence level: 100%) | |
file45.155.173.119 | Havoc botnet C2 server (confidence level: 100%) | |
file159.198.37.223 | Unknown malware botnet C2 server (confidence level: 100%) | |
file54.90.55.61 | Unknown malware botnet C2 server (confidence level: 100%) | |
file80.211.130.251 | Unknown malware botnet C2 server (confidence level: 100%) | |
file34.233.15.237 | Unknown malware botnet C2 server (confidence level: 100%) | |
file178.156.234.79 | Unknown malware botnet C2 server (confidence level: 100%) | |
file194.150.220.63 | Unknown malware botnet C2 server (confidence level: 100%) | |
file194.150.220.63 | Unknown malware botnet C2 server (confidence level: 100%) | |
file43.156.27.192 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file206.238.70.42 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file45.150.128.141 | XWorm botnet C2 server (confidence level: 100%) | |
file192.3.136.235 | Remcos botnet C2 server (confidence level: 100%) | |
file20.206.201.190 | Remcos botnet C2 server (confidence level: 100%) | |
file194.68.225.168 | Unknown RAT botnet C2 server (confidence level: 100%) | |
file47.109.78.104 | Sliver botnet C2 server (confidence level: 100%) | |
file172.104.188.247 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file91.108.244.139 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
file104.248.130.195 | NjRAT botnet C2 server (confidence level: 100%) | |
file156.234.218.171 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file47.101.152.28 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file124.198.131.201 | Remcos botnet C2 server (confidence level: 100%) | |
file185.208.159.173 | Remcos botnet C2 server (confidence level: 100%) | |
file45.83.31.246 | Remcos botnet C2 server (confidence level: 100%) | |
file107.172.31.102 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file81.17.99.174 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.11.61.241 | DCRat botnet C2 server (confidence level: 100%) | |
file20.106.187.78 | PoshC2 botnet C2 server (confidence level: 100%) | |
file196.75.172.144 | Meterpreter botnet C2 server (confidence level: 100%) | |
file13.245.75.48 | Meterpreter botnet C2 server (confidence level: 100%) | |
file103.177.47.176 | Meterpreter botnet C2 server (confidence level: 100%) | |
file151.64.17.150 | Empire Downloader botnet C2 server (confidence level: 100%) | |
file207.189.164.112 | CastleRAT botnet C2 server (confidence level: 100%) | |
file94.26.90.170 | ClearFake payload delivery server (confidence level: 100%) | |
file194.62.55.143 | Quasar RAT botnet C2 server (confidence level: 75%) | |
file46.137.227.63 | XWorm botnet C2 server (confidence level: 100%) | |
file13.201.84.62 | XWorm botnet C2 server (confidence level: 100%) | |
file138.199.38.132 | Remcos botnet C2 server (confidence level: 100%) | |
file47.74.57.14 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file115.187.17.138 | BianLian botnet C2 server (confidence level: 75%) | |
file209.145.63.3 | AsyncRAT botnet C2 server (confidence level: 75%) | |
file45.88.186.45 | Remcos botnet C2 server (confidence level: 75%) | |
file52.223.52.219 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file54.73.77.160 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file192.241.120.160 | Remcos botnet C2 server (confidence level: 75%) | |
file190.144.146.90 | Remcos botnet C2 server (confidence level: 100%) | |
file103.136.249.49 | Sliver botnet C2 server (confidence level: 100%) | |
file45.156.87.160 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file56.112.53.44 | Meterpreter botnet C2 server (confidence level: 100%) | |
file13.212.200.168 | Meterpreter botnet C2 server (confidence level: 100%) | |
file192.109.200.95 | XenoRAT botnet C2 server (confidence level: 100%) | |
file64.89.163.60 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file156.234.254.139 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file109.205.180.199 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.208.156.179 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file197.134.65.5 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file217.216.32.194 | DCRat botnet C2 server (confidence level: 100%) | |
file5.59.248.53 | MooBot botnet C2 server (confidence level: 100%) | |
file172.236.98.73 | Unknown malware botnet C2 server (confidence level: 100%) | |
file9.141.179.31 | Unknown malware botnet C2 server (confidence level: 100%) | |
file185.43.6.40 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.57.28.240 | Unknown malware botnet C2 server (confidence level: 100%) | |
file114.116.248.166 | Unknown malware botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash1312 | Mirai botnet C2 server (confidence level: 80%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash80 | Stealc botnet C2 server (confidence level: 100%) | |
hash9090 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8090 | Sliver botnet C2 server (confidence level: 100%) | |
hash8727 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash81 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash2082 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash4443 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash9000 | SectopRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash443 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash82 | NetSupportManager RAT botnet C2 server (confidence level: 100%) | |
hash4444 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash4449 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash25340 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash53504 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash55615 | RedLine Stealer botnet C2 server (confidence level: 75%) | |
hash34781 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash2487 | Remcos botnet C2 server (confidence level: 100%) | |
hash443 | Havoc botnet C2 server (confidence level: 100%) | |
hash8080 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash5038 | DCRat botnet C2 server (confidence level: 100%) | |
hash8000 | MimiKatz botnet C2 server (confidence level: 100%) | |
hash8082 | Empire Downloader botnet C2 server (confidence level: 100%) | |
hash7443 | NetSupportManager RAT botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash10230 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash9002 | Cobalt Strike botnet C2 server (confidence level: 75%) | |
hash5580 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
hash5580 | Nanocore RAT botnet C2 server (confidence level: 75%) | |
hash7080 | Bashlite botnet C2 server (confidence level: 75%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash443 | Vidar botnet C2 server (confidence level: 100%) | |
hash9999 | CastleRAT botnet C2 server (confidence level: 75%) | |
hash42479 | NjRAT botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8000 | Havoc botnet C2 server (confidence level: 100%) | |
hash8443 | Havoc botnet C2 server (confidence level: 100%) | |
hash8080 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash2083 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash5070 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash80 | Unknown RAT botnet C2 server (confidence level: 100%) | |
hash8080 | Sliver botnet C2 server (confidence level: 100%) | |
hash9999 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash443 | FAKEUPDATES payload delivery server (confidence level: 100%) | |
hash7492 | NjRAT botnet C2 server (confidence level: 100%) | |
hash24704 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash80 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8888 | Remcos botnet C2 server (confidence level: 100%) | |
hash2404 | Remcos botnet C2 server (confidence level: 100%) | |
hash5000 | Remcos botnet C2 server (confidence level: 100%) | |
hash4465 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash7777 | DCRat botnet C2 server (confidence level: 100%) | |
hash443 | PoshC2 botnet C2 server (confidence level: 100%) | |
hash2222 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash53744 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash8080 | Empire Downloader botnet C2 server (confidence level: 100%) | |
hash9999 | CastleRAT botnet C2 server (confidence level: 100%) | |
hash443 | ClearFake payload delivery server (confidence level: 100%) | |
hash1604 | Quasar RAT botnet C2 server (confidence level: 75%) | |
hash9696 | XWorm botnet C2 server (confidence level: 100%) | |
hash6666 | XWorm botnet C2 server (confidence level: 100%) | |
hash53284 | Remcos botnet C2 server (confidence level: 100%) | |
hash8080 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash443 | BianLian botnet C2 server (confidence level: 75%) | |
hash33330 | AsyncRAT botnet C2 server (confidence level: 75%) | |
hash1000 | Remcos botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash2176 | Remcos botnet C2 server (confidence level: 75%) | |
hash2205 | Remcos botnet C2 server (confidence level: 100%) | |
hash31333 | Sliver botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash35458 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash37892 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash8443 | XenoRAT botnet C2 server (confidence level: 100%) | |
hash443 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash24704 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash7443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash4444 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash8888 | DCRat botnet C2 server (confidence level: 100%) | |
hash80 | MooBot botnet C2 server (confidence level: 100%) | |
hash60000 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash80 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash3333 | Unknown malware botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://34ten.com/ | Unknown malware payload delivery URL (confidence level: 90%) | |
urlhttps://cdn.jsdelivr.net/gh/relight-73-unsigned/tk-hz-ctrl/ypfcbjy5exc2pzs4bc7j | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://144.172.106.251/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/grading-chatter-dock73/super-docs-web3/sdf | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/grading-chatter-dock73/super-docs-web3/forward | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/eth | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/cvx | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://tor.cloudvaly.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://tor.beznervov.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://pov.cloudvaly.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://pov.beznervov.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://bek.cloudvaly.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://bek.beznervov.com/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.124.144/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://49.13.33.221/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://135.181.14.70/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://37.27.63.113/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://95.217.227.187/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://178.17.59.34/ | Vidar botnet C2 (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/var | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/zec | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/bra | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/hex | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/tor | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://cb042722.tw1.ru/b4e69250.php | DCRat botnet C2 (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/das | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/zr0 | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttps://menopjc.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://stathas.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://interrg.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttps://cdn.jsdelivr.net/gh/web3call/ws014/st85 | ClearFake payload delivery URL (confidence level: 100%) | |
urlhttp://evervisionicd.com/xquat/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttps://stobminipinporl.com/api/bot/heartbeat | Unknown Stealer botnet C2 (confidence level: 100%) | |
urlhttps://aliengp.cyou/api | Lumma Stealer botnet C2 (confidence level: 75%) | |
urlhttp://158.94.211.84 | Stealc botnet C2 (confidence level: 75%) | |
urlhttp://45.93.20.205 | Stealc botnet C2 (confidence level: 75%) | |
urlhttp://45.93.20.205/ce11694fbb78411c.php | Stealc botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainth3hunt3r-53504.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domainbek.cloudvaly.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainbek.beznervov.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainpov.cloudvaly.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainpov.beznervov.com | Vidar botnet C2 domain (confidence level: 100%) | |
domaintor.cloudvaly.com | Vidar botnet C2 domain (confidence level: 100%) | |
domaintor.beznervov.com | Vidar botnet C2 domain (confidence level: 100%) | |
domainmidlandaudio.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainkakapupuneww.com | CastleRAT botnet C2 domain (confidence level: 100%) | |
domainevil.azuretest.fr | Unknown malware botnet C2 domain (confidence level: 100%) | |
domainrousedonkibure.us | Havoc botnet C2 domain (confidence level: 100%) | |
domainboosterman22q1-42479.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domainegornigga-61525.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domainhebasix.duckdns.org | XWorm botnet C2 domain (confidence level: 100%) | |
domainboosterman22q1-33740.portmap.host | XWorm botnet C2 domain (confidence level: 100%) | |
domaindohinukss.localto.net | SpyNote botnet C2 domain (confidence level: 100%) | |
domainluvxcide.duckdns.org | Nanocore RAT botnet C2 domain (confidence level: 100%) | |
domainlicense.eu.com | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainnog.jp.net | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainvyy.uk.com | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domaininterrg.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainaliengp.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainvetchir.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainmenopjc.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainstathas.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainodovakmc.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainmummifjn.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainoffseti.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaingenussy.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainstudfdu.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domainunmindv.cyou | Lumma Stealer botnet C2 domain (confidence level: 100%) | |
domaintdrdomainnew.com | CastleRAT botnet C2 domain (confidence level: 100%) | |
domainofofoalalaladjrkrka.com | ClearFake payload delivery domain (confidence level: 100%) | |
domainfoamfasfkkfkfkfa.com | ClearFake payload delivery domain (confidence level: 100%) | |
domaincansti.in.net | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainhandsonatwork.co.uk | ClearFake payload delivery domain (confidence level: 100%) | |
domain337788bet.site | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domainkd62.casino | Quasar RAT botnet C2 domain (confidence level: 75%) | |
domaintaxnearme.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainclearwaterfishingcompany.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainhobefork.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domaincommunications.it.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainfb888.uk.com | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainoctazo.gb.net | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainrentals-hidden.gl.at.ply.gg | XWorm botnet C2 domain (confidence level: 100%) | |
domainwww.355bet.com.br | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainstobminipinporl.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainnjtankservices.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainladerbaj.net | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domaingosemobi.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainbargeshipping.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainwydannc6.v0xenharvest.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainhqej69yf.v0xenharvest.ru | ClearFake payload delivery domain (confidence level: 100%) | |
domainarsenmarkaruyn.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domaincotlesgengeral.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainmini-zmoto.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domaincaptolls.com | ClearFake payload delivery domain (confidence level: 100%) | |
domainvitoboy.com | Cobalt Strike botnet C2 domain (confidence level: 100%) |
Threat ID: 697bf749ac06320222ca82b1
Added to database: 1/30/2026, 12:11:53 AM
Last enriched: 1/30/2026, 12:12:08 AM
Last updated: 1/30/2026, 1:21:35 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Dissecting UAT-8099: New persistence mechanisms and regional focus
MediumExposed BYOB C2 Infrastructure Reveals a Multi-Stage Malware Deployment
MediumThreatFox IOCs for 2026-01-28
MediumCan't stop, won't stop: TA584 innovates initial access
MediumFake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.