ThreatFox IOCs for 2026-02-20
ThreatFox IOCs for 2026-02-20
AI Analysis
Technical Summary
The provided information pertains to a malware-related threat intelligence update from the ThreatFox MISP feed dated February 20, 2026. It primarily consists of Indicators of Compromise (IOCs) related to OSINT (Open Source Intelligence) and network activity associated with payload delivery mechanisms. However, the entry lacks detailed technical specifics such as affected software versions, exploit techniques, or concrete indicators, which limits the depth of analysis. No patches or mitigations are currently available, and there are no known exploits actively leveraging this threat in the wild. The threat level is rated medium, reflecting a moderate concern based on the limited data. The categorization under OSINT and network activity suggests that the threat may involve reconnaissance or initial payload delivery stages typical in malware campaigns. The absence of CWE identifiers and exploit details indicates that this is more of an intelligence update rather than a direct vulnerability or exploit report. Organizations should consider this information as part of their broader threat intelligence efforts, focusing on monitoring network traffic and payload delivery vectors. The UUID and timestamps provide traceability within the ThreatFox system but do not add technical insight. Overall, this entry serves as an alert to potential malware-related activity without immediate actionable exploit information.
Potential Impact
Given the lack of specific exploit details or affected software, the direct impact on organizations is currently limited and primarily informational. However, the presence of malware-related IOCs related to payload delivery and network activity indicates potential risks of infection or compromise if these indicators are part of an ongoing or emerging campaign. Organizations worldwide could face risks of data exfiltration, system compromise, or service disruption if the malware payloads are successfully delivered and executed. The medium severity rating reflects moderate potential impact, mainly due to uncertainty and lack of confirmed active exploitation. The threat could lead to increased monitoring and resource allocation to detect and prevent malware infections. Without patches or known exploits, the impact is more on detection and prevention capabilities rather than immediate remediation. The absence of user interaction or authentication requirements is unknown, but typical payload delivery threats often rely on user or system vulnerabilities. The overall impact is moderate but warrants attention to prevent escalation.
Mitigation Recommendations
1. Integrate the latest ThreatFox IOCs into existing security information and event management (SIEM) and intrusion detection/prevention systems (IDS/IPS) to enhance detection capabilities. 2. Conduct network traffic analysis focusing on unusual payload delivery patterns or connections to suspicious domains/IPs associated with the IOCs. 3. Employ endpoint detection and response (EDR) tools to monitor for anomalous behaviors indicative of malware execution. 4. Maintain updated threat intelligence feeds and correlate with internal logs to identify early signs of compromise. 5. Implement network segmentation to limit the spread of potential malware infections. 6. Conduct regular security awareness training emphasizing cautious handling of unsolicited payloads or network communications. 7. Since no patches are available, prioritize proactive detection and containment strategies. 8. Collaborate with threat intelligence sharing communities to receive timely updates on evolving indicators or exploits related to this threat. 9. Review and harden network perimeter defenses to reduce exposure to payload delivery attempts. 10. Prepare incident response plans to quickly address any detections related to these IOCs.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Netherlands, Japan, South Korea, Israel
Indicators of Compromise
- file: 193.26.115.60
- hash: 6000
- file: 38.49.215.118
- hash: 8443
- file: 23.94.252.101
- hash: 7000
- file: 83.142.209.92
- hash: 11200
- url: https://ainttby.com/6f54.js
- domain: ainttby.com
- url: https://ainttby.com/js.php
- url: http://212.85.166.12:22448/.i
- file: 203.192.206.72
- hash: 1988
- file: 193.124.250.110
- hash: 8080
- file: 172.94.111.65
- hash: 8098
- file: 5.101.86.26
- hash: 49274
- domain: excessmon001.duckdns.org
- domain: x1edaroughgan8hajous20.duckdns.org
- domain: x1edaroughgan8hajous30.duckdns.org
- domain: x1edaroughgan8hajous40.duckdns.org
- url: https://89.58.25.125/
- domain: cygnusn.cyou
- domain: khantym.cyou
- domain: salivae.cyou
- domain: swederq.cyou
- domain: transpd.cyou
- domain: tributj.cyou
- file: 89.40.206.98
- hash: 2050
- domain: bkn-connects.com
- file: 91.92.243.47
- hash: 4449
- file: 15.216.95.47
- hash: 2701
- file: 138.197.196.147
- hash: 80
- domain: heavynode.ironwave.in.net
- domain: warmbreeze.goldwind.in.net
- domain: shineflow.goldwind.in.net
- domain: fastglow.goldwind.in.net
- domain: goldtrace.goldwind.in.net
- domain: shadowphase.darkmoon.in.net
- domain: blackorbit.darkmoon.in.net
- domain: hiddenside.darkmoon.in.net
- domain: silentnode.darkmoon.in.net
- domain: strongleaf.redwood.in.net
- domain: oldroot.redwood.in.net
- domain: tallbranch.redwood.in.net
- domain: intranet.milnetstresser.ru
- domain: redcore.redwood.in.net
- domain: deeproot.deepwood.in.net
- file: 87.121.84.58
- hash: 8080
- domain: darktimber.deepwood.in.net
- file: 87.121.84.58
- hash: 2901
- domain: wildleaf.deepwood.in.net
- domain: greenpath.deepwood.in.net
- domain: waterfront.westlake.in.net
- domain: deepblue.westlake.in.net
- domain: coolsurf.westlake.in.net
- file: 146.70.51.74
- hash: 2712
- file: 94.242.52.160
- hash: 445
- file: 168.245.203.51
- hash: 3790
- file: 168.245.203.231
- hash: 3790
- file: 168.245.203.199
- hash: 3790
- file: 168.245.203.224
- hash: 3790
- domain: westwave.westlake.in.net
- file: 3.127.59.75
- hash: 11637
- file: 165.227.177.122
- hash: 1177
- domain: northshore.northlake.in.net
- file: 193.161.193.99
- hash: 64601
- domain: coldwater.northlake.in.net
- domain: icefront.northlake.in.net
- domain: hpandroid2025.jp.net
- domain: kishlay.in.net
- domain: shroudcloud.ru.com
- domain: bluepoint.northlake.in.net
- file: 159.26.100.159
- hash: 59476
- domain: elfrodbloom.city
- domain: argoflyleens.city
- domain: rocketmoll.com
- domain: horsten.fun
- domain: stormfield.goatbreed.in.net
- domain: share2e2git.autos
- domain: stonegraze.goatbreed.in.net
- domain: wildhorn.goatbreed.in.net
- url: http://198.46.147.169:8888/supershell/login/
- file: 221.229.53.161
- hash: 10001
- file: 81.68.89.216
- hash: 8088
- domain: speedcargo.agrahurry.in.net
- domain: rushgrain.agrahurry.in.net
- domain: heattrail.agrahurry.in.net
- file: 192.163.162.194
- hash: 447
- file: 38.46.11.202
- hash: 1107
- domain: dustcrate.flatdon.in.net
- file: 91.92.41.4
- hash: 5555
- file: 104.223.84.7
- hash: 14646
- file: 3.107.169.157
- hash: 2
- file: 103.177.47.174
- hash: 3790
- file: 103.177.47.207
- hash: 3790
- file: 168.245.203.186
- hash: 3790
- domain: plainforge.flatdon.in.net
- domain: rockpanel.flatdon.in.net
- domain: blastzone.highexplos.in.net
- domain: shockflare.highexplos.in.net
- domain: firecharge.highexplos.in.net
- file: 13.248.136.191
- hash: 443
- file: 163.181.208.79
- hash: 4506
- file: 167.172.199.123
- hash: 443
- file: 167.172.199.123
- hash: 8888
- file: 185.180.198.3
- hash: 2025
- file: 185.180.198.3
- hash: 443
- domain: xworm2026.ddns.net
- file: 95.216.212.8
- hash: 8888
- domain: darkspice.bakhkondach.in.net
- file: 47.76.249.152
- hash: 447
- domain: blackroot.bakhkondach.in.net
- domain: ironclove.bakhkondach.in.net
- domain: bluecurrent.oceanprim.in.net
- domain: saltwave.oceanprim.in.net
- url: http://abscete.info/zetus/five/fre.php
- domain: deepcoral.oceanprim.in.net
- domain: creamvalley.mooingtaste.in.net
- domain: freshudder.mooingtaste.in.net
- domain: sweetmeadow.mooingtaste.in.net
- domain: farmer.sa.com
- file: 107.172.217.220
- hash: 12096
- file: 165.227.177.122
- hash: 8808
- file: 165.232.45.1
- hash: 8000
- file: 195.177.94.132
- hash: 13443
- file: 52.207.16.109
- hash: 8443
- domain: exfuture.ru.com
- domain: olywsu.sa.com
- domain: 95o8yn83.stoneweir.digital
- domain: jd4ftwmb.stoneweir.digital
- domain: soundcraft.iaphonics.in.net
- domain: echowave.iaphonics.in.net
- domain: toneforge.iaphonics.in.net
- domain: lawkeeper.forbidthen.in.net
- file: 199.101.111.28
- hash: 3790
- file: 3.38.102.73
- hash: 35296
- file: 13.214.210.23
- hash: 7073
- file: 196.75.213.61
- hash: 2222
- file: 3.10.143.189
- hash: 1000
- file: 3.10.143.189
- hash: 1200
- file: 3.10.143.189
- hash: 3500
- file: 3.10.143.189
- hash: 10050
- file: 3.10.143.189
- hash: 12600
- domain: uo6ie1ro.wintermere.digital
- domain: grimorder.forbidthen.in.net
- domain: u281os5q.wintermere.digital
- domain: nightedict.forbidthen.in.net
- domain: steelgrip.crotchfuete.in.net
- domain: hardpunch.crotchfuete.in.net
- domain: roughstrike.crotchfuete.in.net
- file: 217.60.1.121
- hash: 8443
- domain: goldensand.lionsand.in.net
- domain: wildlion.lionsand.in.net
- domain: sandpulse.lionsand.in.net
- domain: sunhunter.lionsand.in.net
- domain: forestleaf.bluefern.in.net
- domain: deepgreen.bluefern.in.net
- domain: shadowfern.bluefern.in.net
- domain: riverroot.bluefern.in.net
- domain: highstone.rockpine.in.net
- domain: hardneedle.rockpine.in.net
- url: http://bobrecurwarmumsworms.com:8080/updater?for=1366407c325e73b05f171b2364a70d1b
- domain: ironpine.rockpine.in.net
- domain: mountpeak.rockpine.in.net
- domain: waterpath.lakeford.in.net
- domain: coldstream.lakeford.in.net
- file: 213.55.242.27
- hash: 4782
- file: 213.55.242.27
- hash: 8848
- file: 181.162.164.151
- hash: 8080
- file: 91.247.235.216
- hash: 9042
- file: 60.28.219.78
- hash: 38423
- file: 60.28.219.78
- hash: 10001
- domain: goarnsds.shop
- domain: depthnode.lakeford.in.net
- file: 194.116.236.112
- hash: 7232
- domain: 1t7qbrm9t.localto.net
- domain: stronggale.windford.in.net
- domain: grayroad.grayford.in.net
- domain: nano.viewdns.net
- domain: stormtrace.windford.in.net
- domain: fastbreeze.windford.in.net
- domain: highflow.windford.in.net
- domain: shadowpine.darkpine.in.net
- domain: nightneedle.darkpine.in.net
- file: 185.241.211.57
- hash: 5000
- file: 202.191.67.71
- hash: 4446
- domain: darkforest.darkpine.in.net
- domain: silentroot.darkpine.in.net
- domain: oceanview.silverbay.in.net
- domain: silvertide.silverbay.in.net
- domain: coolcoast.silverbay.in.net
- domain: greenmoss.mossrock.in.net
- domain: a0mvufym.misthollow.digital
- domain: zekjryh8.misthollow.digital
- domain: stonepatch.mossrock.in.net
- domain: oldlayer.mossrock.in.net
- domain: hardmoss.mossrock.in.net
- file: 104.233.184.215
- hash: 1233
- file: 104.233.184.215
- hash: 1235
- domain: icepine.coldpine.in.net
- domain: frostneedle.coldpine.in.net
- url: http://waterpressureelement.cc:8080/updater?for=0aa6b9f07a5b27b2069c137c69ec91eb
- domain: wintersync.coldpine.in.net
- domain: northpeak.coldpine.in.net
- domain: stonebridge.grayford.in.net
- file: 117.157.22.184
- hash: 10250
- file: 3.87.159.213
- hash: 8443
- file: 9.223.178.81
- hash: 443
- domain: cloudford.grayford.in.net
- domain: ezonemart.in.net
- domain: jainnamkeen.in.net
- domain: darkpath.grayford.in.net
- file: 115.190.53.184
- hash: 666
- file: 18.118.24.86
- hash: 18080
- file: 16.51.153.193
- hash: 54717
- file: 13.49.226.59
- hash: 1099
- file: 185.243.214.51
- hash: 443
- domain: enviodefebre8095.duckdns.org
- file: 46.225.168.157
- hash: 443
- file: 170.187.144.43
- hash: 31337
- file: 64.111.93.170
- hash: 31337
- file: 185.141.216.76
- hash: 31337
- file: 165.232.45.1
- hash: 5600
- domain: bkns-extrans.com
- domain: 8i5lypxm6.localto.net
- domain: mi8r8dc4.ironbark.digital
- domain: 0l833z7h.ironbark.digital
ThreatFox IOCs for 2026-02-20
Description
ThreatFox IOCs for 2026-02-20
AI-Powered Analysis
Technical Analysis
The provided information pertains to a malware-related threat intelligence update from the ThreatFox MISP feed dated February 20, 2026. It primarily consists of Indicators of Compromise (IOCs) related to OSINT (Open Source Intelligence) and network activity associated with payload delivery mechanisms. However, the entry lacks detailed technical specifics such as affected software versions, exploit techniques, or concrete indicators, which limits the depth of analysis. No patches or mitigations are currently available, and there are no known exploits actively leveraging this threat in the wild. The threat level is rated medium, reflecting a moderate concern based on the limited data. The categorization under OSINT and network activity suggests that the threat may involve reconnaissance or initial payload delivery stages typical in malware campaigns. The absence of CWE identifiers and exploit details indicates that this is more of an intelligence update rather than a direct vulnerability or exploit report. Organizations should consider this information as part of their broader threat intelligence efforts, focusing on monitoring network traffic and payload delivery vectors. The UUID and timestamps provide traceability within the ThreatFox system but do not add technical insight. Overall, this entry serves as an alert to potential malware-related activity without immediate actionable exploit information.
Potential Impact
Given the lack of specific exploit details or affected software, the direct impact on organizations is currently limited and primarily informational. However, the presence of malware-related IOCs related to payload delivery and network activity indicates potential risks of infection or compromise if these indicators are part of an ongoing or emerging campaign. Organizations worldwide could face risks of data exfiltration, system compromise, or service disruption if the malware payloads are successfully delivered and executed. The medium severity rating reflects moderate potential impact, mainly due to uncertainty and lack of confirmed active exploitation. The threat could lead to increased monitoring and resource allocation to detect and prevent malware infections. Without patches or known exploits, the impact is more on detection and prevention capabilities rather than immediate remediation. The absence of user interaction or authentication requirements is unknown, but typical payload delivery threats often rely on user or system vulnerabilities. The overall impact is moderate but warrants attention to prevent escalation.
Mitigation Recommendations
1. Integrate the latest ThreatFox IOCs into existing security information and event management (SIEM) and intrusion detection/prevention systems (IDS/IPS) to enhance detection capabilities. 2. Conduct network traffic analysis focusing on unusual payload delivery patterns or connections to suspicious domains/IPs associated with the IOCs. 3. Employ endpoint detection and response (EDR) tools to monitor for anomalous behaviors indicative of malware execution. 4. Maintain updated threat intelligence feeds and correlate with internal logs to identify early signs of compromise. 5. Implement network segmentation to limit the spread of potential malware infections. 6. Conduct regular security awareness training emphasizing cautious handling of unsolicited payloads or network communications. 7. Since no patches are available, prioritize proactive detection and containment strategies. 8. Collaborate with threat intelligence sharing communities to receive timely updates on evolving indicators or exploits related to this threat. 9. Review and harden network perimeter defenses to reduce exposure to payload delivery attempts. 10. Prepare incident response plans to quickly address any detections related to these IOCs.
Technical Details
- Threat Level
- 2
- Analysis
- 1
- Distribution
- 3
- Uuid
- 2537b5b8-c187-492a-b111-4b7016f072c1
- Original Timestamp
- 1771632187
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file193.26.115.60 | Remcos botnet C2 server (confidence level: 100%) | |
file38.49.215.118 | PureRAT botnet C2 server (confidence level: 100%) | |
file23.94.252.101 | XWorm botnet C2 server (confidence level: 100%) | |
file83.142.209.92 | PureRAT botnet C2 server (confidence level: 100%) | |
file203.192.206.72 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file193.124.250.110 | XWorm botnet C2 server (confidence level: 100%) | |
file172.94.111.65 | Remcos botnet C2 server (confidence level: 100%) | |
file5.101.86.26 | Remcos botnet C2 server (confidence level: 100%) | |
file89.40.206.98 | Remcos botnet C2 server (confidence level: 100%) | |
file91.92.243.47 | Venom RAT botnet C2 server (confidence level: 100%) | |
file15.216.95.47 | Meterpreter botnet C2 server (confidence level: 100%) | |
file138.197.196.147 | Empire Downloader botnet C2 server (confidence level: 100%) | |
file87.121.84.58 | Mirai botnet C2 server (confidence level: 100%) | |
file87.121.84.58 | Mirai botnet C2 server (confidence level: 80%) | |
file146.70.51.74 | DCRat botnet C2 server (confidence level: 100%) | |
file94.242.52.160 | Havoc botnet C2 server (confidence level: 100%) | |
file168.245.203.51 | Meterpreter botnet C2 server (confidence level: 100%) | |
file168.245.203.231 | Meterpreter botnet C2 server (confidence level: 100%) | |
file168.245.203.199 | Meterpreter botnet C2 server (confidence level: 100%) | |
file168.245.203.224 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.127.59.75 | NjRAT botnet C2 server (confidence level: 100%) | |
file165.227.177.122 | NjRAT botnet C2 server (confidence level: 100%) | |
file193.161.193.99 | XWorm botnet C2 server (confidence level: 100%) | |
file159.26.100.159 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
file221.229.53.161 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file81.68.89.216 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file192.163.162.194 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file38.46.11.202 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file91.92.41.4 | Remcos botnet C2 server (confidence level: 100%) | |
file104.223.84.7 | Remcos botnet C2 server (confidence level: 100%) | |
file3.107.169.157 | Meterpreter botnet C2 server (confidence level: 100%) | |
file103.177.47.174 | Meterpreter botnet C2 server (confidence level: 100%) | |
file103.177.47.207 | Meterpreter botnet C2 server (confidence level: 100%) | |
file168.245.203.186 | Meterpreter botnet C2 server (confidence level: 100%) | |
file13.248.136.191 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file163.181.208.79 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file167.172.199.123 | Sliver botnet C2 server (confidence level: 75%) | |
file167.172.199.123 | Sliver botnet C2 server (confidence level: 75%) | |
file185.180.198.3 | RansomHub botnet C2 server (confidence level: 75%) | |
file185.180.198.3 | RansomHub botnet C2 server (confidence level: 75%) | |
file95.216.212.8 | Sliver botnet C2 server (confidence level: 75%) | |
file47.76.249.152 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file107.172.217.220 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file165.227.177.122 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file165.232.45.1 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file195.177.94.132 | Unknown malware botnet C2 server (confidence level: 100%) | |
file52.207.16.109 | Havoc botnet C2 server (confidence level: 100%) | |
file199.101.111.28 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.38.102.73 | Meterpreter botnet C2 server (confidence level: 100%) | |
file13.214.210.23 | Meterpreter botnet C2 server (confidence level: 100%) | |
file196.75.213.61 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.10.143.189 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.10.143.189 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.10.143.189 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.10.143.189 | Meterpreter botnet C2 server (confidence level: 100%) | |
file3.10.143.189 | Meterpreter botnet C2 server (confidence level: 100%) | |
file217.60.1.121 | Meterpreter botnet C2 server (confidence level: 75%) | |
file213.55.242.27 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file213.55.242.27 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file181.162.164.151 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file91.247.235.216 | Quasar RAT botnet C2 server (confidence level: 100%) | |
file60.28.219.78 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file60.28.219.78 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
file194.116.236.112 | AsyncRAT botnet C2 server (confidence level: 100%) | |
file185.241.211.57 | Remcos botnet C2 server (confidence level: 100%) | |
file202.191.67.71 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
file104.233.184.215 | ValleyRAT botnet C2 server (confidence level: 100%) | |
file104.233.184.215 | ValleyRAT botnet C2 server (confidence level: 75%) | |
file117.157.22.184 | DeimosC2 botnet C2 server (confidence level: 75%) | |
file3.87.159.213 | Havoc botnet C2 server (confidence level: 75%) | |
file9.223.178.81 | Sliver botnet C2 server (confidence level: 75%) | |
file115.190.53.184 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
file18.118.24.86 | Meterpreter botnet C2 server (confidence level: 100%) | |
file16.51.153.193 | Meterpreter botnet C2 server (confidence level: 100%) | |
file13.49.226.59 | Meterpreter botnet C2 server (confidence level: 100%) | |
file185.243.214.51 | BianLian botnet C2 server (confidence level: 100%) | |
file46.225.168.157 | Sliver botnet C2 server (confidence level: 90%) | |
file170.187.144.43 | Sliver botnet C2 server (confidence level: 90%) | |
file64.111.93.170 | Sliver botnet C2 server (confidence level: 90%) | |
file185.141.216.76 | Sliver botnet C2 server (confidence level: 90%) | |
file165.232.45.1 | AsyncRAT botnet C2 server (confidence level: 100%) |
Hash
| Value | Description | Copy |
|---|---|---|
hash6000 | Remcos botnet C2 server (confidence level: 100%) | |
hash8443 | PureRAT botnet C2 server (confidence level: 100%) | |
hash7000 | XWorm botnet C2 server (confidence level: 100%) | |
hash11200 | PureRAT botnet C2 server (confidence level: 100%) | |
hash1988 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | XWorm botnet C2 server (confidence level: 100%) | |
hash8098 | Remcos botnet C2 server (confidence level: 100%) | |
hash49274 | Remcos botnet C2 server (confidence level: 100%) | |
hash2050 | Remcos botnet C2 server (confidence level: 100%) | |
hash4449 | Venom RAT botnet C2 server (confidence level: 100%) | |
hash2701 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash80 | Empire Downloader botnet C2 server (confidence level: 100%) | |
hash8080 | Mirai botnet C2 server (confidence level: 100%) | |
hash2901 | Mirai botnet C2 server (confidence level: 80%) | |
hash2712 | DCRat botnet C2 server (confidence level: 100%) | |
hash445 | Havoc botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash11637 | NjRAT botnet C2 server (confidence level: 100%) | |
hash1177 | NjRAT botnet C2 server (confidence level: 100%) | |
hash64601 | XWorm botnet C2 server (confidence level: 100%) | |
hash59476 | Nanocore RAT botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash8088 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash447 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash1107 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash5555 | Remcos botnet C2 server (confidence level: 100%) | |
hash14646 | Remcos botnet C2 server (confidence level: 100%) | |
hash2 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash443 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash4506 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash443 | Sliver botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash2025 | RansomHub botnet C2 server (confidence level: 75%) | |
hash443 | RansomHub botnet C2 server (confidence level: 75%) | |
hash8888 | Sliver botnet C2 server (confidence level: 75%) | |
hash447 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash12096 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash8808 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8000 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash13443 | Unknown malware botnet C2 server (confidence level: 100%) | |
hash8443 | Havoc botnet C2 server (confidence level: 100%) | |
hash3790 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash35296 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash7073 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash2222 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1000 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1200 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash3500 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash10050 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash12600 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash8443 | Meterpreter botnet C2 server (confidence level: 75%) | |
hash4782 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8848 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash8080 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash9042 | Quasar RAT botnet C2 server (confidence level: 100%) | |
hash38423 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash10001 | Xtreme RAT botnet C2 server (confidence level: 100%) | |
hash7232 | AsyncRAT botnet C2 server (confidence level: 100%) | |
hash5000 | Remcos botnet C2 server (confidence level: 100%) | |
hash4446 | AdaptixC2 botnet C2 server (confidence level: 100%) | |
hash1233 | ValleyRAT botnet C2 server (confidence level: 100%) | |
hash1235 | ValleyRAT botnet C2 server (confidence level: 75%) | |
hash10250 | DeimosC2 botnet C2 server (confidence level: 75%) | |
hash8443 | Havoc botnet C2 server (confidence level: 75%) | |
hash443 | Sliver botnet C2 server (confidence level: 75%) | |
hash666 | Cobalt Strike botnet C2 server (confidence level: 100%) | |
hash18080 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash54717 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash1099 | Meterpreter botnet C2 server (confidence level: 100%) | |
hash443 | BianLian botnet C2 server (confidence level: 100%) | |
hash443 | Sliver botnet C2 server (confidence level: 90%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash31337 | Sliver botnet C2 server (confidence level: 90%) | |
hash5600 | AsyncRAT botnet C2 server (confidence level: 100%) |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://ainttby.com/6f54.js | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttps://ainttby.com/js.php | KongTuke payload delivery URL (confidence level: 100%) | |
urlhttp://212.85.166.12:22448/.i | Unknown malware payload delivery URL (confidence level: 75%) | |
urlhttps://89.58.25.125/ | Unknown malware payload delivery URL (confidence level: 90%) | |
urlhttp://198.46.147.169:8888/supershell/login/ | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://abscete.info/zetus/five/fre.php | Loki Password Stealer (PWS) botnet C2 (confidence level: 100%) | |
urlhttp://bobrecurwarmumsworms.com:8080/updater?for=1366407c325e73b05f171b2364a70d1b | Unknown malware botnet C2 (confidence level: 100%) | |
urlhttp://waterpressureelement.cc:8080/updater?for=0aa6b9f07a5b27b2069c137c69ec91eb | Unknown malware botnet C2 (confidence level: 100%) |
Domain
| Value | Description | Copy |
|---|---|---|
domainainttby.com | KongTuke payload delivery domain (confidence level: 100%) | |
domainexcessmon001.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainx1edaroughgan8hajous20.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainx1edaroughgan8hajous30.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domainx1edaroughgan8hajous40.duckdns.org | Remcos botnet C2 domain (confidence level: 100%) | |
domaincygnusn.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainkhantym.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainsalivae.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainswederq.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domaintranspd.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domaintributj.cyou | Lumma Stealer botnet C2 domain (confidence level: 75%) | |
domainbkn-connects.com | Havoc botnet C2 domain (confidence level: 100%) | |
domainheavynode.ironwave.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwarmbreeze.goldwind.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshineflow.goldwind.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfastglow.goldwind.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingoldtrace.goldwind.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshadowphase.darkmoon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainblackorbit.darkmoon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhiddenside.darkmoon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsilentnode.darkmoon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainstrongleaf.redwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainoldroot.redwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaintallbranch.redwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainintranet.milnetstresser.ru | Mirai botnet C2 domain (confidence level: 100%) | |
domainredcore.redwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindeeproot.deepwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindarktimber.deepwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwildleaf.deepwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingreenpath.deepwood.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwaterfront.westlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindeepblue.westlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincoolsurf.westlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwestwave.westlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainnorthshore.northlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincoldwater.northlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainicefront.northlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhpandroid2025.jp.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainkishlay.in.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainshroudcloud.ru.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainbluepoint.northlake.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainelfrodbloom.city | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainargoflyleens.city | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainrocketmoll.com | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainhorsten.fun | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainstormfield.goatbreed.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshare2e2git.autos | Unknown Stealer botnet C2 domain (confidence level: 100%) | |
domainstonegraze.goatbreed.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwildhorn.goatbreed.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainspeedcargo.agrahurry.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainrushgrain.agrahurry.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainheattrail.agrahurry.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindustcrate.flatdon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainplainforge.flatdon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainrockpanel.flatdon.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainblastzone.highexplos.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshockflare.highexplos.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfirecharge.highexplos.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainxworm2026.ddns.net | XWorm botnet C2 domain (confidence level: 75%) | |
domaindarkspice.bakhkondach.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainblackroot.bakhkondach.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainironclove.bakhkondach.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainbluecurrent.oceanprim.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsaltwave.oceanprim.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindeepcoral.oceanprim.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincreamvalley.mooingtaste.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfreshudder.mooingtaste.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsweetmeadow.mooingtaste.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfarmer.sa.com | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainexfuture.ru.com | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domainolywsu.sa.com | Quasar RAT botnet C2 domain (confidence level: 100%) | |
domain95o8yn83.stoneweir.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domainjd4ftwmb.stoneweir.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domainsoundcraft.iaphonics.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainechowave.iaphonics.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaintoneforge.iaphonics.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainlawkeeper.forbidthen.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainuo6ie1ro.wintermere.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domaingrimorder.forbidthen.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainu281os5q.wintermere.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domainnightedict.forbidthen.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsteelgrip.crotchfuete.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhardpunch.crotchfuete.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainroughstrike.crotchfuete.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingoldensand.lionsand.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwildlion.lionsand.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsandpulse.lionsand.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsunhunter.lionsand.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainforestleaf.bluefern.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindeepgreen.bluefern.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshadowfern.bluefern.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainriverroot.bluefern.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhighstone.rockpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhardneedle.rockpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainironpine.rockpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainmountpeak.rockpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwaterpath.lakeford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincoldstream.lakeford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingoarnsds.shop | Unknown malware payload delivery domain (confidence level: 100%) | |
domaindepthnode.lakeford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domain1t7qbrm9t.localto.net | XWorm botnet C2 domain (confidence level: 100%) | |
domainstronggale.windford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingrayroad.grayford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainnano.viewdns.net | AsyncRAT botnet C2 domain (confidence level: 75%) | |
domainstormtrace.windford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfastbreeze.windford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhighflow.windford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainshadowpine.darkpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainnightneedle.darkpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaindarkforest.darkpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsilentroot.darkpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainoceanview.silverbay.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainsilvertide.silverbay.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincoolcoast.silverbay.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaingreenmoss.mossrock.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaina0mvufym.misthollow.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domainzekjryh8.misthollow.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domainstonepatch.mossrock.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainoldlayer.mossrock.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainhardmoss.mossrock.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainicepine.coldpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainfrostneedle.coldpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainwintersync.coldpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainnorthpeak.coldpine.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainstonebridge.grayford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domaincloudford.grayford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainezonemart.in.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainjainnamkeen.in.net | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domaindarkpath.grayford.in.net | ClearFake payload delivery domain (confidence level: 100%) | |
domainenviodefebre8095.duckdns.org | AsyncRAT botnet C2 domain (confidence level: 100%) | |
domainbkns-extrans.com | Havoc botnet C2 domain (confidence level: 100%) | |
domain8i5lypxm6.localto.net | XWorm botnet C2 domain (confidence level: 100%) | |
domainmi8r8dc4.ironbark.digital | ClearFake payload delivery domain (confidence level: 100%) | |
domain0l833z7h.ironbark.digital | ClearFake payload delivery domain (confidence level: 100%) |
Threat ID: 6998f951be58cf853be4de6f
Added to database: 2/21/2026, 12:16:17 AM
Last enriched: 2/21/2026, 12:16:32 AM
Last updated: 2/21/2026, 1:20:46 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Android threats using GenAI usher in a new era
MediumMaltrail IOC for 2026-02-20
MediumFBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025
MediumPromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
MediumThreatFox IOCs for 2026-02-19
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.