Reconnecting to live updates…

ThreatFox IOCs for 2026-01-31

Severity: mediumType: malware

AI Analysis

Technical Summary

This threat entry from the ThreatFox MISP feed dated January 31, 2026, provides a set of Indicators of Compromise (IOCs) related to malware activities primarily involving OSINT (Open Source Intelligence) tools and techniques. The threat is classified under categories including OSINT, network activity, and payload delivery, indicating that the malware or associated campaigns likely use network-based methods to deliver malicious payloads or gather intelligence. The absence of affected product versions and lack of known exploits in the wild suggest this is an intelligence feed rather than a report of an active zero-day or widespread exploit. The technical details show a low threat level (2) and limited analysis (1), with distribution rated at 3, implying moderate dissemination or relevance. No patches or remediation links are available, reinforcing that this is intelligence rather than a vulnerability with a fix. The lack of concrete indicators or CWEs (Common Weakness Enumerations) limits the ability to pinpoint exact attack vectors or malware families. Overall, this entry serves as a situational awareness tool for security teams to update detection rules and monitor for related network activity or payload delivery attempts.

Potential Impact

For European organizations, the impact of this threat is moderate due to its classification as OSINT-related malware with network activity and payload delivery components. If these IOCs correspond to active campaigns, organizations could face risks of data exfiltration, network intrusion, or malware infection. The absence of known exploits and patches suggests no immediate widespread compromise but highlights the need for vigilance. Potential impacts include disruption of network services, unauthorized access to sensitive information, and increased exposure to targeted attacks leveraging OSINT techniques. Organizations heavily reliant on networked infrastructure and those engaged in intelligence or research activities may be more vulnerable. The medium severity rating reflects a balanced risk profile where exploitation is possible but not trivial or widespread at this time.

Mitigation Recommendations

1. Integrate the ThreatFox IOC feed into existing Security Information and Event Management (SIEM) and threat intelligence platforms to enable real-time detection of related indicators. 2. Enhance network monitoring to identify unusual payload delivery attempts, especially those leveraging OSINT tools or techniques. 3. Conduct regular threat hunting exercises focusing on network activity anomalies and payload delivery vectors. 4. Implement strict network segmentation to limit lateral movement in case of compromise. 5. Educate security teams on the latest OSINT-related malware tactics to improve incident response readiness. 6. Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying suspicious payloads. 7. Collaborate with national and European cybersecurity centers to share intelligence and coordinate defensive measures. 8. Since no patches are available, focus on detection and containment rather than remediation. 9. Review and harden firewall and intrusion detection/prevention system (IDS/IPS) rules to block known malicious network traffic patterns associated with these IOCs. 10. Regularly update and test incident response plans to handle potential malware infections stemming from these threat indicators.

Affected Countries

Germany, France, United Kingdom, Netherlands, Italy, Spain

Indicators of Compromise

domain: files.sandtagency.org
file: 138.226.237.76
hash: 80
file: 198.23.175.59
hash: 2404
file: 45.83.31.224
hash: 1234
file: 5.61.208.94
hash: 10333
file: 98.85.71.175
hash: 443
file: 79.241.98.68
hash: 81
file: 196.75.120.225
hash: 2222
file: 196.221.166.170
hash: 443
file: 159.89.43.34
hash: 80
domain: hsk-new.com
url: http://hsk-new.com/xdfwqsp/login.php
domain: kapadocia.duckdns.org
url: https://cdn.jsdelivr.net/gh/relight-73-unsigned/ged13/nm12
domain: img1.huorongsec.com
url: https://cdn.jsdelivr.net/gh/www1day7/msdn/das3
domain: dskzwf.za.com
domain: kzkxza.sa.com
domain: mfncnp.sa.com
domain: nbwkmp.sa.com
domain: romaniaprotv.in.net
domain: uxcpym.sa.com
url: http://104.238.177.164
file: 104.238.177.164
hash: 80
file: 45.86.86.181
hash: 80
file: 47.109.130.74
hash: 9000
file: 101.37.236.20
hash: 443
file: 23.249.28.95
hash: 14994
file: 23.249.28.96
hash: 14994
file: 195.88.191.66
hash: 443
file: 176.57.218.167
hash: 8888
file: 216.10.244.155
hash: 443
file: 43.209.123.29
hash: 103
file: 159.89.43.34
hash: 443
file: 45.93.20.141
hash: 80
file: 45.93.20.141
hash: 443
url: https://45.93.20.141/
url: http://23.94.61.153:8888/supershell/login/
domain: r7j-44928.portmap.host
file: 185.100.157.244
hash: 16002
url: http://138.226.237.76
domain: yoenacevedo7-64431.portmap.host
file: 193.161.193.99
hash: 62402
url: http://45.88.91.156/pages/login.php
file: 108.163.159.173
hash: 20526
file: 87.248.180.43
hash: 443
file: 172.81.130.143
hash: 5000
file: 103.85.226.80
hash: 4321
file: 43.208.198.212
hash: 7754
file: 103.177.47.113
hash: 3790
file: 3.133.148.37
hash: 113
file: 167.160.191.207
hash: 80
url: https://casettalecese.it/wp-content/uploads/2022/10/hemigastrectomysdur.php
url: https://casettalecese.it/wp-content/uploads/2022/10/bivalviagrr.php
url: https://casettalecese.it/wp-content/uploads/2022/10/transhumandaxj.exe
url: https://casettalecese.it/wp-content/uploads/2022/10/nephralgiamsy.ps1
url: https://casettalecese.it/wp-content/uploads/2022/10/boomier10qd0.php
file: 94.247.42.253
hash: 80
url: http://94.247.42.253/pilot.php
url: https://casettalecese.it/wp-content/uploads/2022/10/sd2.ps1
url: http://94.247.42.253/index.php
domain: telephoned.su
domain: gaphmxpa.cyou
domain: shorted.cyou
domain: yelloww.cyou
domain: scirpvu.cyou
domain: garnevf.cyou
domain: elmtrce.cyou
domain: liliiqo.cyou
file: 144.208.127.217
hash: 8000
domain: chimdikeiheanyichukwu.ydns.eu
file: 172.245.195.198
hash: 20905
file: 223.215.161.16
hash: 10250
file: 36.142.6.173
hash: 10250
domain: adm-toolkit.live
url: https://cdn.jsdelivr.net/gh/www1day7/msdn/flag
domain: foodservicer.com
url: http://77.110.103.209:3000/api/logs
url: http://77.110.103.209:3000/api/hvnc/heartbeat
url: https://adm-toolkit.live/api/logs
url: http://77.110.103.209/api/logs
file: 77.110.103.209
hash: 80
domain: 08tk02ji.nexorhino.digital
domain: 3uk9rba1.nexorhino.digital
file: 120.55.195.205
hash: 80
file: 121.91.230.182
hash: 8808
file: 178.16.54.184
hash: 6606
file: 144.126.149.104
hash: 95
file: 144.172.88.250
hash: 7001
file: 170.187.237.39
hash: 443
file: 54.197.120.61
hash: 443
file: 85.215.132.159
hash: 4545
file: 43.142.135.16
hash: 9205
file: 157.180.3.131
hash: 3333
domain: derzkifrost-990.sbs
url: http://104.238.177.164/03ec61a401e346be.php
file: 130.12.181.170
hash: 2404
file: 172.233.15.195
hash: 8888
file: 162.33.179.156
hash: 8808
file: 157.20.182.25
hash: 1339
file: 69.62.125.171
hash: 443
file: 51.48.3.26
hash: 1311
file: 103.177.47.144
hash: 3790
file: 103.177.47.139
hash: 3790
file: 103.177.47.130
hash: 3790
file: 51.16.42.220
hash: 8001
file: 103.177.47.119
hash: 3790
file: 124.44.3.74
hash: 88
file: 16.58.157.121
hash: 80
domain: yoenacevedo7-62402.portmap.host
domain: yoenacevedo7-52605.portmap.host
domain: d0ngz.icu
domain: yoenacevedo7-42593.portmap.host
file: 206.119.166.189
hash: 9988
file: 142.171.198.177
hash: 8443
url: https://16.58.157.121/
domain: kglzwkqk.plancortex.digital
domain: zd4fai56.plancortex.digital
url: http://89.223.95.104:8888/supershell/login/
file: 89.223.95.104
hash: 8888
domain: diffusn.cyou
domain: offdutd.cyou
domain: tragedj.cyou
file: 89.223.95.97
hash: 8888
file: 91.92.242.161
hash: 8808
file: 104.248.177.238
hash: 8081
file: 194.59.30.79
hash: 9619
domain: transfernow.website
file: 13.62.56.163
hash: 18244
file: 54.179.215.123
hash: 58123
domain: chromewi99000-49071.portmap.host
domain: r8bw6dylh.localto.net
domain: nightspace-57464.portmap.host
domain: yov1os2mn.localto.net
domain: inn-ht.gl.at.ply.gg
domain: mopicif949-47022.portmap.host
domain: awjh0a0e.zentrivio.digital
domain: 7epuzkwa.zentrivio.digital
file: 134.199.134.66
hash: 7443
file: 193.22.152.157
hash: 825
file: 212.64.199.181
hash: 8808
file: 52.23.88.208
hash: 443
domain: yoenacevedo7-38238.portmap.host
file: 162.120.187.244
hash: 3000
file: 185.184.192.251
hash: 3000
domain: ragydagy-32447.portmap.host
domain: hhholyshitttt1243-31975.portmap.host
domain: cloudboxmac.com
domain: driveport38.com
domain: fastsendportal02.com
domain: imacmigrator.com
domain: imacrestorehub.com
domain: macared.com
domain: maccloudbeam.com
domain: maccloudstorage.com
domain: macfilebeam.com
domain: macfileshare.com
domain: macfilestorage.com
domain: macflowy.com
domain: macicloudtrack.com
domain: macsendpath.com
domain: macsyncbin.com
domain: megafilehub4.xyz
domain: mymachelpdesk.com
domain: sendportal02.com
file: 1.12.66.17
hash: 80
file: 44.200.237.10
hash: 443
file: 47.245.85.155
hash: 8888
file: 217.60.7.192
hash: 7443
file: 138.124.53.33
hash: 80
file: 38.224.133.119
hash: 443
file: 43.208.238.110
hash: 22522
file: 18.217.34.53
hash: 80
domain: iphotline.com
file: 13.250.222.197
hash: 8090
file: 124.77.220.119
hash: 8082
file: 95.216.222.174
hash: 443
file: 178.128.101.226
hash: 3333
file: 172.178.81.164
hash: 3333
file: 13.51.36.30
hash: 443
url: http://212.67.17.63/javascriptapiwindowsgeneratorwptemp.php
file: 193.161.193.99
hash: 38238
file: 155.94.163.103
hash: 8080

ThreatFox IOCs for 2026-01-31

Severity: medium

Type: malware

ThreatFox IOCs for 2026-01-31

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Netherlands, Italy, Spain

Indicators of Compromise

domain: files.sandtagency.org
file: 138.226.237.76
hash: 80
file: 198.23.175.59
hash: 2404
file: 45.83.31.224
hash: 1234
file: 5.61.208.94
hash: 10333
file: 98.85.71.175
hash: 443
file: 79.241.98.68
hash: 81
file: 196.75.120.225
hash: 2222
file: 196.221.166.170
hash: 443
file: 159.89.43.34
hash: 80
domain: hsk-new.com
url: http://hsk-new.com/xdfwqsp/login.php
domain: kapadocia.duckdns.org
url: https://cdn.jsdelivr.net/gh/relight-73-unsigned/ged13/nm12
domain: img1.huorongsec.com
url: https://cdn.jsdelivr.net/gh/www1day7/msdn/das3
domain: dskzwf.za.com
domain: kzkxza.sa.com
domain: mfncnp.sa.com
domain: nbwkmp.sa.com
domain: romaniaprotv.in.net
domain: uxcpym.sa.com
url: http://104.238.177.164
file: 104.238.177.164
hash: 80
file: 45.86.86.181
hash: 80
file: 47.109.130.74
hash: 9000
file: 101.37.236.20
hash: 443
file: 23.249.28.95
hash: 14994
file: 23.249.28.96
hash: 14994
file: 195.88.191.66
hash: 443
file: 176.57.218.167
hash: 8888
file: 216.10.244.155
hash: 443
file: 43.209.123.29
hash: 103
file: 159.89.43.34
hash: 443
file: 45.93.20.141
hash: 80
file: 45.93.20.141
hash: 443
url: https://45.93.20.141/
url: http://23.94.61.153:8888/supershell/login/
domain: r7j-44928.portmap.host
file: 185.100.157.244
hash: 16002
url: http://138.226.237.76
domain: yoenacevedo7-64431.portmap.host
file: 193.161.193.99
hash: 62402
url: http://45.88.91.156/pages/login.php
file: 108.163.159.173
hash: 20526
file: 87.248.180.43
hash: 443
file: 172.81.130.143
hash: 5000
file: 103.85.226.80
hash: 4321
file: 43.208.198.212
hash: 7754
file: 103.177.47.113
hash: 3790
file: 3.133.148.37
hash: 113
file: 167.160.191.207
hash: 80
url: https://casettalecese.it/wp-content/uploads/2022/10/hemigastrectomysdur.php
url: https://casettalecese.it/wp-content/uploads/2022/10/bivalviagrr.php
url: https://casettalecese.it/wp-content/uploads/2022/10/transhumandaxj.exe
url: https://casettalecese.it/wp-content/uploads/2022/10/nephralgiamsy.ps1
url: https://casettalecese.it/wp-content/uploads/2022/10/boomier10qd0.php
file: 94.247.42.253
hash: 80
url: http://94.247.42.253/pilot.php
url: https://casettalecese.it/wp-content/uploads/2022/10/sd2.ps1
url: http://94.247.42.253/index.php
domain: telephoned.su
domain: gaphmxpa.cyou
domain: shorted.cyou
domain: yelloww.cyou
domain: scirpvu.cyou
domain: garnevf.cyou
domain: elmtrce.cyou
domain: liliiqo.cyou
file: 144.208.127.217
hash: 8000
domain: chimdikeiheanyichukwu.ydns.eu
file: 172.245.195.198
hash: 20905
file: 223.215.161.16
hash: 10250
file: 36.142.6.173
hash: 10250
domain: adm-toolkit.live
url: https://cdn.jsdelivr.net/gh/www1day7/msdn/flag
domain: foodservicer.com
url: http://77.110.103.209:3000/api/logs
url: http://77.110.103.209:3000/api/hvnc/heartbeat
url: https://adm-toolkit.live/api/logs
url: http://77.110.103.209/api/logs
file: 77.110.103.209
hash: 80
domain: 08tk02ji.nexorhino.digital
domain: 3uk9rba1.nexorhino.digital
file: 120.55.195.205
hash: 80
file: 121.91.230.182
hash: 8808
file: 178.16.54.184
hash: 6606
file: 144.126.149.104
hash: 95
file: 144.172.88.250
hash: 7001
file: 170.187.237.39
hash: 443
file: 54.197.120.61
hash: 443
file: 85.215.132.159
hash: 4545
file: 43.142.135.16
hash: 9205
file: 157.180.3.131
hash: 3333
domain: derzkifrost-990.sbs
url: http://104.238.177.164/03ec61a401e346be.php
file: 130.12.181.170
hash: 2404
file: 172.233.15.195
hash: 8888
file: 162.33.179.156
hash: 8808
file: 157.20.182.25
hash: 1339
file: 69.62.125.171
hash: 443
file: 51.48.3.26
hash: 1311
file: 103.177.47.144
hash: 3790
file: 103.177.47.139
hash: 3790
file: 103.177.47.130
hash: 3790
file: 51.16.42.220
hash: 8001
file: 103.177.47.119
hash: 3790
file: 124.44.3.74
hash: 88
file: 16.58.157.121
hash: 80
domain: yoenacevedo7-62402.portmap.host
domain: yoenacevedo7-52605.portmap.host
domain: d0ngz.icu
domain: yoenacevedo7-42593.portmap.host
file: 206.119.166.189
hash: 9988
file: 142.171.198.177
hash: 8443
url: https://16.58.157.121/
domain: kglzwkqk.plancortex.digital
domain: zd4fai56.plancortex.digital
url: http://89.223.95.104:8888/supershell/login/
file: 89.223.95.104
hash: 8888
domain: diffusn.cyou
domain: offdutd.cyou
domain: tragedj.cyou
file: 89.223.95.97
hash: 8888
file: 91.92.242.161
hash: 8808
file: 104.248.177.238
hash: 8081
file: 194.59.30.79
hash: 9619
domain: transfernow.website
file: 13.62.56.163
hash: 18244
file: 54.179.215.123
hash: 58123
domain: chromewi99000-49071.portmap.host
domain: r8bw6dylh.localto.net
domain: nightspace-57464.portmap.host
domain: yov1os2mn.localto.net
domain: inn-ht.gl.at.ply.gg
domain: mopicif949-47022.portmap.host
domain: awjh0a0e.zentrivio.digital
domain: 7epuzkwa.zentrivio.digital
file: 134.199.134.66
hash: 7443
file: 193.22.152.157
hash: 825
file: 212.64.199.181
hash: 8808
file: 52.23.88.208
hash: 443
domain: yoenacevedo7-38238.portmap.host
file: 162.120.187.244
hash: 3000
file: 185.184.192.251
hash: 3000
domain: ragydagy-32447.portmap.host
domain: hhholyshitttt1243-31975.portmap.host
domain: cloudboxmac.com
domain: driveport38.com
domain: fastsendportal02.com
domain: imacmigrator.com
domain: imacrestorehub.com
domain: macared.com
domain: maccloudbeam.com
domain: maccloudstorage.com
domain: macfilebeam.com
domain: macfileshare.com
domain: macfilestorage.com
domain: macflowy.com
domain: macicloudtrack.com
domain: macsendpath.com
domain: macsyncbin.com
domain: megafilehub4.xyz
domain: mymachelpdesk.com
domain: sendportal02.com
file: 1.12.66.17
hash: 80
file: 44.200.237.10
hash: 443
file: 47.245.85.155
hash: 8888
file: 217.60.7.192
hash: 7443
file: 138.124.53.33
hash: 80
file: 38.224.133.119
hash: 443
file: 43.208.238.110
hash: 22522
file: 18.217.34.53
hash: 80
domain: iphotline.com
file: 13.250.222.197
hash: 8090
file: 124.77.220.119
hash: 8082
file: 95.216.222.174
hash: 443
file: 178.128.101.226
hash: 3333
file: 172.178.81.164
hash: 3333
file: 13.51.36.30
hash: 443
url: http://212.67.17.63/javascriptapiwindowsgeneratorwptemp.php
file: 193.161.193.99
hash: 38238
file: 155.94.163.103
hash: 8080

Source: ThreatFox MISP Feed

Published: Sat Jan 31 2026

ThreatFox IOCs for 2026-01-31

Medium

Malwaretype:osint tlp:white

Published: Sat Jan 31 2026 (01/31/2026, 00:00:00 UTC)

Source: ThreatFox MISP Feed

Vendor/Project: type

Product: osint

Description

ThreatFox IOCs for 2026-01-31

AI-Powered Analysis

AILast updated: 02/01/2026, 00:12:19 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Threat Level: 2
Analysis: 1
Distribution: 3
Uuid: 53325188-0270-4885-90b7-dd4178b13c6e
Original Timestamp: 1769904187

Indicators of Compromise

Domain

Value	Description	Copy
domainfiles.sandtagency.org	FAKEUPDATES botnet C2 domain (confidence level: 100%)
domainhsk-new.com	DarkCloud Stealer botnet C2 domain (confidence level: 50%)
domainkapadocia.duckdns.org	Mirai botnet C2 domain (confidence level: 100%)
domainimg1.huorongsec.com	Cobalt Strike botnet C2 domain (confidence level: 75%)
domaindskzwf.za.com	AsyncRAT botnet C2 domain (confidence level: 75%)
domainkzkxza.sa.com	AsyncRAT botnet C2 domain (confidence level: 75%)
domainmfncnp.sa.com	AsyncRAT botnet C2 domain (confidence level: 75%)
domainnbwkmp.sa.com	AsyncRAT botnet C2 domain (confidence level: 75%)
domainromaniaprotv.in.net	AsyncRAT botnet C2 domain (confidence level: 75%)
domainuxcpym.sa.com	AsyncRAT botnet C2 domain (confidence level: 75%)
domainr7j-44928.portmap.host	XWorm botnet C2 domain (confidence level: 100%)
domainyoenacevedo7-64431.portmap.host	Orcus RAT botnet C2 domain (confidence level: 100%)
domaintelephoned.su	Lumma Stealer botnet C2 domain (confidence level: 100%)
domaingaphmxpa.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainshorted.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainyelloww.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainscirpvu.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domaingarnevf.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainelmtrce.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainliliiqo.cyou	Lumma Stealer botnet C2 domain (confidence level: 100%)
domainchimdikeiheanyichukwu.ydns.eu	Unknown malware botnet C2 domain (confidence level: 100%)
domainadm-toolkit.live	Unknown Stealer botnet C2 domain (confidence level: 100%)
domainfoodservicer.com	Unknown Stealer botnet C2 domain (confidence level: 100%)
domain08tk02ji.nexorhino.digital	ClearFake payload delivery domain (confidence level: 100%)
domain3uk9rba1.nexorhino.digital	ClearFake payload delivery domain (confidence level: 100%)
domainderzkifrost-990.sbs	MaskGramStealer botnet C2 domain (confidence level: 100%)
domainyoenacevedo7-62402.portmap.host	Quasar RAT botnet C2 domain (confidence level: 100%)
domainyoenacevedo7-52605.portmap.host	NjRAT botnet C2 domain (confidence level: 100%)
domaind0ngz.icu	ValleyRAT botnet C2 domain (confidence level: 100%)
domainyoenacevedo7-42593.portmap.host	Orcus RAT botnet C2 domain (confidence level: 100%)
domainkglzwkqk.plancortex.digital	ClearFake payload delivery domain (confidence level: 100%)
domainzd4fai56.plancortex.digital	ClearFake payload delivery domain (confidence level: 100%)
domaindiffusn.cyou	Lumma Stealer botnet C2 domain (confidence level: 75%)
domainoffdutd.cyou	Lumma Stealer botnet C2 domain (confidence level: 75%)
domaintragedj.cyou	Lumma Stealer botnet C2 domain (confidence level: 75%)
domaintransfernow.website	Havoc botnet C2 domain (confidence level: 100%)
domainchromewi99000-49071.portmap.host	XWorm botnet C2 domain (confidence level: 100%)
domainr8bw6dylh.localto.net	XWorm botnet C2 domain (confidence level: 100%)
domainnightspace-57464.portmap.host	XWorm botnet C2 domain (confidence level: 100%)
domainyov1os2mn.localto.net	XWorm botnet C2 domain (confidence level: 100%)
domaininn-ht.gl.at.ply.gg	XWorm botnet C2 domain (confidence level: 100%)
domainmopicif949-47022.portmap.host	AsyncRAT botnet C2 domain (confidence level: 100%)
domainawjh0a0e.zentrivio.digital	ClearFake payload delivery domain (confidence level: 100%)
domain7epuzkwa.zentrivio.digital	ClearFake payload delivery domain (confidence level: 100%)
domainyoenacevedo7-38238.portmap.host	XWorm botnet C2 domain (confidence level: 100%)
domainragydagy-32447.portmap.host	AsyncRAT botnet C2 domain (confidence level: 100%)
domainhhholyshitttt1243-31975.portmap.host	AsyncRAT botnet C2 domain (confidence level: 100%)
domaincloudboxmac.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domaindriveport38.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainfastsendportal02.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainimacmigrator.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainimacrestorehub.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacared.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmaccloudbeam.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmaccloudstorage.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacfilebeam.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacfileshare.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacfilestorage.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacflowy.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacicloudtrack.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacsendpath.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmacsyncbin.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmegafilehub4.xyz	Unknown Stealer payload delivery domain (confidence level: 100%)
domainmymachelpdesk.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainsendportal02.com	Unknown Stealer payload delivery domain (confidence level: 100%)
domainiphotline.com	Unknown Stealer botnet C2 domain (confidence level: 100%)

File

Value	Description	Copy
file138.226.237.76	Stealc botnet C2 server (confidence level: 100%)
file198.23.175.59	Remcos botnet C2 server (confidence level: 100%)
file45.83.31.224	Remcos botnet C2 server (confidence level: 100%)
file5.61.208.94	Remcos botnet C2 server (confidence level: 100%)
file98.85.71.175	Unknown malware botnet C2 server (confidence level: 100%)
file79.241.98.68	NetSupportManager RAT botnet C2 server (confidence level: 100%)
file196.75.120.225	Meterpreter botnet C2 server (confidence level: 100%)
file196.221.166.170	Meterpreter botnet C2 server (confidence level: 100%)
file159.89.43.34	Empire Downloader botnet C2 server (confidence level: 100%)
file104.238.177.164	Stealc botnet C2 server (confidence level: 100%)
file45.86.86.181	Cobalt Strike botnet C2 server (confidence level: 100%)
file47.109.130.74	Cobalt Strike botnet C2 server (confidence level: 100%)
file101.37.236.20	Cobalt Strike botnet C2 server (confidence level: 100%)
file23.249.28.95	Ghost RAT botnet C2 server (confidence level: 100%)
file23.249.28.96	Ghost RAT botnet C2 server (confidence level: 100%)
file195.88.191.66	Unknown RAT botnet C2 server (confidence level: 100%)
file176.57.218.167	DCRat botnet C2 server (confidence level: 100%)
file216.10.244.155	Bashlite botnet C2 server (confidence level: 100%)
file43.209.123.29	Meterpreter botnet C2 server (confidence level: 100%)
file159.89.43.34	Empire Downloader botnet C2 server (confidence level: 100%)
file45.93.20.141	Unknown malware botnet C2 server (confidence level: 100%)
file45.93.20.141	Unknown malware botnet C2 server (confidence level: 100%)
file185.100.157.244	Quasar RAT botnet C2 server (confidence level: 100%)
file193.161.193.99	Quasar RAT botnet C2 server (confidence level: 100%)
file108.163.159.173	Remcos botnet C2 server (confidence level: 100%)
file87.248.180.43	Sliver botnet C2 server (confidence level: 100%)
file172.81.130.143	Venom RAT botnet C2 server (confidence level: 100%)
file103.85.226.80	AdaptixC2 botnet C2 server (confidence level: 100%)
file43.208.198.212	Meterpreter botnet C2 server (confidence level: 100%)
file103.177.47.113	Meterpreter botnet C2 server (confidence level: 100%)
file3.133.148.37	Meterpreter botnet C2 server (confidence level: 100%)
file167.160.191.207	Cobalt Strike botnet C2 server (confidence level: 100%)
file94.247.42.253	Koi Loader botnet C2 server (confidence level: 75%)
file144.208.127.217	Sliver botnet C2 server (confidence level: 75%)
file172.245.195.198	Unknown RAT botnet C2 server (confidence level: 50%)
file223.215.161.16	DeimosC2 botnet C2 server (confidence level: 75%)
file36.142.6.173	DeimosC2 botnet C2 server (confidence level: 75%)
file77.110.103.209	Unknown Stealer botnet C2 server (confidence level: 75%)
file120.55.195.205	Cobalt Strike botnet C2 server (confidence level: 100%)
file121.91.230.182	AsyncRAT botnet C2 server (confidence level: 100%)
file178.16.54.184	AsyncRAT botnet C2 server (confidence level: 100%)
file144.126.149.104	AsyncRAT botnet C2 server (confidence level: 100%)
file144.172.88.250	DCRat botnet C2 server (confidence level: 100%)
file170.187.237.39	Unknown malware botnet C2 server (confidence level: 100%)
file54.197.120.61	Unknown malware botnet C2 server (confidence level: 100%)
file85.215.132.159	Unknown malware botnet C2 server (confidence level: 100%)
file43.142.135.16	Unknown malware botnet C2 server (confidence level: 100%)
file157.180.3.131	Unknown malware botnet C2 server (confidence level: 100%)
file130.12.181.170	Remcos botnet C2 server (confidence level: 100%)
file172.233.15.195	Unknown malware botnet C2 server (confidence level: 100%)
file162.33.179.156	AsyncRAT botnet C2 server (confidence level: 100%)
file157.20.182.25	AsyncRAT botnet C2 server (confidence level: 100%)
file69.62.125.171	Unknown malware botnet C2 server (confidence level: 100%)
file51.48.3.26	Meterpreter botnet C2 server (confidence level: 100%)
file103.177.47.144	Meterpreter botnet C2 server (confidence level: 100%)
file103.177.47.139	Meterpreter botnet C2 server (confidence level: 100%)
file103.177.47.130	Meterpreter botnet C2 server (confidence level: 100%)
file51.16.42.220	Meterpreter botnet C2 server (confidence level: 100%)
file103.177.47.119	Meterpreter botnet C2 server (confidence level: 100%)
file124.44.3.74	Cobalt Strike botnet C2 server (confidence level: 100%)
file16.58.157.121	Unknown malware botnet C2 server (confidence level: 100%)
file206.119.166.189	ValleyRAT botnet C2 server (confidence level: 100%)
file142.171.198.177	Meterpreter botnet C2 server (confidence level: 75%)
file89.223.95.104	Unknown malware botnet C2 server (confidence level: 100%)
file89.223.95.97	Unknown malware botnet C2 server (confidence level: 100%)
file91.92.242.161	AsyncRAT botnet C2 server (confidence level: 100%)
file104.248.177.238	Hook botnet C2 server (confidence level: 100%)
file194.59.30.79	Quasar RAT botnet C2 server (confidence level: 100%)
file13.62.56.163	Meterpreter botnet C2 server (confidence level: 100%)
file54.179.215.123	Meterpreter botnet C2 server (confidence level: 100%)
file134.199.134.66	Unknown malware botnet C2 server (confidence level: 75%)
file193.22.152.157	DeimosC2 botnet C2 server (confidence level: 75%)
file212.64.199.181	AsyncRAT botnet C2 server (confidence level: 75%)
file52.23.88.208	DeimosC2 botnet C2 server (confidence level: 75%)
file162.120.187.244	XWorm botnet C2 server (confidence level: 100%)
file185.184.192.251	XWorm botnet C2 server (confidence level: 100%)
file1.12.66.17	Cobalt Strike botnet C2 server (confidence level: 100%)
file44.200.237.10	Sliver botnet C2 server (confidence level: 100%)
file47.245.85.155	Unknown malware botnet C2 server (confidence level: 100%)
file217.60.7.192	Unknown malware botnet C2 server (confidence level: 100%)
file138.124.53.33	Hook botnet C2 server (confidence level: 100%)
file38.224.133.119	Havoc botnet C2 server (confidence level: 100%)
file43.208.238.110	Meterpreter botnet C2 server (confidence level: 100%)
file18.217.34.53	Unknown malware botnet C2 server (confidence level: 100%)
file13.250.222.197	Sliver botnet C2 server (confidence level: 90%)
file124.77.220.119	Unknown malware botnet C2 server (confidence level: 100%)
file95.216.222.174	Unknown malware botnet C2 server (confidence level: 100%)
file178.128.101.226	Unknown malware botnet C2 server (confidence level: 100%)
file172.178.81.164	Unknown malware botnet C2 server (confidence level: 100%)
file13.51.36.30	Unknown malware botnet C2 server (confidence level: 100%)
file193.161.193.99	Quasar RAT botnet C2 server (confidence level: 100%)
file155.94.163.103	AsyncRAT botnet C2 server (confidence level: 100%)

Hash

Value	Description	Copy
hash80	Stealc botnet C2 server (confidence level: 100%)
hash2404	Remcos botnet C2 server (confidence level: 100%)
hash1234	Remcos botnet C2 server (confidence level: 100%)
hash10333	Remcos botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash81	NetSupportManager RAT botnet C2 server (confidence level: 100%)
hash2222	Meterpreter botnet C2 server (confidence level: 100%)
hash443	Meterpreter botnet C2 server (confidence level: 100%)
hash80	Empire Downloader botnet C2 server (confidence level: 100%)
hash80	Stealc botnet C2 server (confidence level: 100%)
hash80	Cobalt Strike botnet C2 server (confidence level: 100%)
hash9000	Cobalt Strike botnet C2 server (confidence level: 100%)
hash443	Cobalt Strike botnet C2 server (confidence level: 100%)
hash14994	Ghost RAT botnet C2 server (confidence level: 100%)
hash14994	Ghost RAT botnet C2 server (confidence level: 100%)
hash443	Unknown RAT botnet C2 server (confidence level: 100%)
hash8888	DCRat botnet C2 server (confidence level: 100%)
hash443	Bashlite botnet C2 server (confidence level: 100%)
hash103	Meterpreter botnet C2 server (confidence level: 100%)
hash443	Empire Downloader botnet C2 server (confidence level: 100%)
hash80	Unknown malware botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash16002	Quasar RAT botnet C2 server (confidence level: 100%)
hash62402	Quasar RAT botnet C2 server (confidence level: 100%)
hash20526	Remcos botnet C2 server (confidence level: 100%)
hash443	Sliver botnet C2 server (confidence level: 100%)
hash5000	Venom RAT botnet C2 server (confidence level: 100%)
hash4321	AdaptixC2 botnet C2 server (confidence level: 100%)
hash7754	Meterpreter botnet C2 server (confidence level: 100%)
hash3790	Meterpreter botnet C2 server (confidence level: 100%)
hash113	Meterpreter botnet C2 server (confidence level: 100%)
hash80	Cobalt Strike botnet C2 server (confidence level: 100%)
hash80	Koi Loader botnet C2 server (confidence level: 75%)
hash8000	Sliver botnet C2 server (confidence level: 75%)
hash20905	Unknown RAT botnet C2 server (confidence level: 50%)
hash10250	DeimosC2 botnet C2 server (confidence level: 75%)
hash10250	DeimosC2 botnet C2 server (confidence level: 75%)
hash80	Unknown Stealer botnet C2 server (confidence level: 75%)
hash80	Cobalt Strike botnet C2 server (confidence level: 100%)
hash8808	AsyncRAT botnet C2 server (confidence level: 100%)
hash6606	AsyncRAT botnet C2 server (confidence level: 100%)
hash95	AsyncRAT botnet C2 server (confidence level: 100%)
hash7001	DCRat botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash4545	Unknown malware botnet C2 server (confidence level: 100%)
hash9205	Unknown malware botnet C2 server (confidence level: 100%)
hash3333	Unknown malware botnet C2 server (confidence level: 100%)
hash2404	Remcos botnet C2 server (confidence level: 100%)
hash8888	Unknown malware botnet C2 server (confidence level: 100%)
hash8808	AsyncRAT botnet C2 server (confidence level: 100%)
hash1339	AsyncRAT botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash1311	Meterpreter botnet C2 server (confidence level: 100%)
hash3790	Meterpreter botnet C2 server (confidence level: 100%)
hash3790	Meterpreter botnet C2 server (confidence level: 100%)
hash3790	Meterpreter botnet C2 server (confidence level: 100%)
hash8001	Meterpreter botnet C2 server (confidence level: 100%)
hash3790	Meterpreter botnet C2 server (confidence level: 100%)
hash88	Cobalt Strike botnet C2 server (confidence level: 100%)
hash80	Unknown malware botnet C2 server (confidence level: 100%)
hash9988	ValleyRAT botnet C2 server (confidence level: 100%)
hash8443	Meterpreter botnet C2 server (confidence level: 75%)
hash8888	Unknown malware botnet C2 server (confidence level: 100%)
hash8888	Unknown malware botnet C2 server (confidence level: 100%)
hash8808	AsyncRAT botnet C2 server (confidence level: 100%)
hash8081	Hook botnet C2 server (confidence level: 100%)
hash9619	Quasar RAT botnet C2 server (confidence level: 100%)
hash18244	Meterpreter botnet C2 server (confidence level: 100%)
hash58123	Meterpreter botnet C2 server (confidence level: 100%)
hash7443	Unknown malware botnet C2 server (confidence level: 75%)
hash825	DeimosC2 botnet C2 server (confidence level: 75%)
hash8808	AsyncRAT botnet C2 server (confidence level: 75%)
hash443	DeimosC2 botnet C2 server (confidence level: 75%)
hash3000	XWorm botnet C2 server (confidence level: 100%)
hash3000	XWorm botnet C2 server (confidence level: 100%)
hash80	Cobalt Strike botnet C2 server (confidence level: 100%)
hash443	Sliver botnet C2 server (confidence level: 100%)
hash8888	Unknown malware botnet C2 server (confidence level: 100%)
hash7443	Unknown malware botnet C2 server (confidence level: 100%)
hash80	Hook botnet C2 server (confidence level: 100%)
hash443	Havoc botnet C2 server (confidence level: 100%)
hash22522	Meterpreter botnet C2 server (confidence level: 100%)
hash80	Unknown malware botnet C2 server (confidence level: 100%)
hash8090	Sliver botnet C2 server (confidence level: 90%)
hash8082	Unknown malware botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash3333	Unknown malware botnet C2 server (confidence level: 100%)
hash3333	Unknown malware botnet C2 server (confidence level: 100%)
hash443	Unknown malware botnet C2 server (confidence level: 100%)
hash38238	Quasar RAT botnet C2 server (confidence level: 100%)
hash8080	AsyncRAT botnet C2 server (confidence level: 100%)

Url

Value	Description	Copy
urlhttp://hsk-new.com/xdfwqsp/login.php	DarkCloud Stealer botnet C2 (confidence level: 100%)
urlhttps://cdn.jsdelivr.net/gh/relight-73-unsigned/ged13/nm12	ClearFake payload delivery URL (confidence level: 100%)
urlhttps://cdn.jsdelivr.net/gh/www1day7/msdn/das3	ClearFake payload delivery URL (confidence level: 100%)
urlhttp://104.238.177.164	Stealc botnet C2 (confidence level: 75%)
urlhttps://45.93.20.141/	Unknown malware payload delivery URL (confidence level: 90%)
urlhttp://23.94.61.153:8888/supershell/login/	Unknown malware botnet C2 (confidence level: 100%)
urlhttp://138.226.237.76	Stealc botnet C2 (confidence level: 100%)
urlhttp://45.88.91.156/pages/login.php	Unknown malware botnet C2 (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/hemigastrectomysdur.php	Koi Loader payload delivery URL (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/bivalviagrr.php	Koi Loader payload delivery URL (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/transhumandaxj.exe	Koi Loader payload delivery URL (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/nephralgiamsy.ps1	Koi Loader payload delivery URL (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/boomier10qd0.php	Koi Loader payload delivery URL (confidence level: 100%)
urlhttp://94.247.42.253/pilot.php	Koi Loader botnet C2 (confidence level: 100%)
urlhttps://casettalecese.it/wp-content/uploads/2022/10/sd2.ps1	Koi Loader payload delivery URL (confidence level: 100%)
urlhttp://94.247.42.253/index.php	Koi Loader payload delivery URL (confidence level: 100%)
urlhttps://cdn.jsdelivr.net/gh/www1day7/msdn/flag	ClearFake payload delivery URL (confidence level: 100%)
urlhttp://77.110.103.209:3000/api/logs	Unknown Stealer botnet C2 (confidence level: 100%)
urlhttp://77.110.103.209:3000/api/hvnc/heartbeat	Unknown Stealer botnet C2 (confidence level: 100%)
urlhttps://adm-toolkit.live/api/logs	Unknown Stealer botnet C2 (confidence level: 100%)
urlhttp://77.110.103.209/api/logs	Unknown Stealer botnet C2 (confidence level: 100%)
urlhttp://104.238.177.164/03ec61a401e346be.php	Stealc botnet C2 (confidence level: 100%)
urlhttps://16.58.157.121/	Unknown malware payload delivery URL (confidence level: 90%)
urlhttp://89.223.95.104:8888/supershell/login/	Unknown malware botnet C2 (confidence level: 100%)
urlhttp://212.67.17.63/javascriptapiwindowsgeneratorwptemp.php	DCRat botnet C2 (confidence level: 100%)

Threat ID: 697e9a49ac0632022257398d

Added to database: 2/1/2026, 12:11:53 AM

Last enriched: 2/1/2026, 12:12:19 AM

Last updated: 2/6/2026, 1:09:30 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Medium

MalwareThu Feb 05 2026

SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown

Medium

MalwareThu Feb 05 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

ThreatFox IOCs for 2026-01-31

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

ThreatFox IOCs for 2026-01-31

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Domain

File

Hash

Url

Community Reviews

Related Threats

ThreatFox IOCs for 2026-02-05

Technical Analysis of Marco Stealer

New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility