{ "feed": "threatcluster-public-iocs", "version": 1, "generated_at": "2026-06-03T13:00:22Z", "filters": { "confidence": "high", "window_days": 30, "types": [ "ipv4", "ipv6", "domain" ] }, "count": 96, "iocs": [ { "type": "domain", "value": "riggletoy.ru", "confidence": "high", "reason": "Identified as a C2 server in malware analysis", "first_seen": "2026-06-01T15:33:10.999147+00:00", "last_seen": "2026-06-01T15:33:10.999147+00:00", "source_count": 1, "sources": [ { "source": "www.globenewswire.com", "url": "https://adex.com/blog/case-study-xcsset-attack/", "pub_date": "2026-06-01T15:33:10.999147+00:00" } ] }, { "type": "domain", "value": "systemupdate.app", "confidence": "high", "reason": "Identified as a fake application used for harvesting user credentials, indicating attacker-controlled infrastructure.", "first_seen": "2026-06-01T13:00:33+00:00", "last_seen": "2026-06-01T13:00:33+00:00", "source_count": 1, "sources": [ { "source": "Cybernews", "url": "https://cybernews.com/security/north-korean-hacker-macos-malware/", "pub_date": "2026-06-01T13:00:33+00:00" } ] }, { "type": "ipv4", "value": "49.207.56.74", "confidence": "high", "reason": "Referenced as the source of exploitation attempts in the article.", "first_seen": "2026-05-31T17:03:12.300063+00:00", "last_seen": "2026-05-31T17:03:12.300063+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours", "pub_date": "2026-05-31T17:03:12.300063+00:00" } ] }, { "type": "ipv4", "value": "185.235.137.106", "confidence": "high", "reason": "C2 server tied to SideCopy infrastructure", "first_seen": "2026-05-30T06:54:59+00:00", "last_seen": "2026-05-30T06:54:59+00:00", "source_count": 1, "sources": [ { "source": "Gbhackers", "url": "https://gbhackers.com/sidecopy-deploys-persistent-xenorat/amp/", "pub_date": "2026-05-30T06:54:59+00:00" } ] }, { "type": "ipv4", "value": "216.9.224.26", "confidence": "high", "reason": "C2 server information for Remcos agent", "first_seen": "2026-05-29T10:15:39.486712+00:00", "last_seen": "2026-05-29T10:15:39.486712+00:00", "source_count": 1, "sources": [ { "source": "www.fortinet.com", "url": "https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document", "pub_date": "2026-05-29T10:15:39.486712+00:00" } ] }, { "type": "domain", "value": "minemine.gleeze.com", "confidence": "high", "reason": "Blocked domain associated with miner binaries", "first_seen": "2026-05-28T11:25:29+00:00", "last_seen": "2026-05-28T16:19:28.696648+00:00", "source_count": 2, "sources": [ { "source": "socprime.com", "url": "https://socprime.com/active-threats/from-poisoned-search-results-to-gpu-mining-a-cryptojacking-campaign-using-screenconnect-and-net-utilities/", "pub_date": "2026-05-28T16:19:28.696648+00:00" }, { "source": "Rescana", "url": "https://www.rescana.com/post/active-exploitation-alert-gpu-mining-malware-targeting-windows-systems-via-seo-poisoning-and-ai-chatbot-recommendations", "pub_date": "2026-05-28T11:25:29+00:00" } ] }, { "type": "domain", "value": "alibaba.xyz", "confidence": "high", "reason": "C2 domain associated with MINIRAT malware", "first_seen": "2026-05-28T11:47:11.539105+00:00", "last_seen": "2026-05-28T11:47:11.539105+00:00", "source_count": 1, "sources": [ { "source": "www.wiz.io", "url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs", "pub_date": "2026-05-28T11:47:11.539105+00:00" } ] }, { "type": "domain", "value": "byte-io.us", "confidence": "high", "reason": "C2 domain associated with AUDIOFIX malware", "first_seen": "2026-05-28T11:47:11.539105+00:00", "last_seen": "2026-05-28T11:47:11.539105+00:00", "source_count": 1, "sources": [ { "source": "www.wiz.io", "url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs", "pub_date": "2026-05-28T11:47:11.539105+00:00" } ] }, { "type": "domain", "value": "cloud-sync.online", "confidence": "high", "reason": "C2 domain associated with MINIRAT malware", "first_seen": "2026-05-28T11:47:11.539105+00:00", "last_seen": "2026-05-28T11:47:11.539105+00:00", "source_count": 1, "sources": [ { "source": "www.wiz.io", "url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs", "pub_date": "2026-05-28T11:47:11.539105+00:00" } ] }, { "type": "domain", "value": "windows.driver-store.com", "confidence": "high", "reason": "C2 domain associated with actor-controlled infrastructure", "first_seen": "2026-05-28T11:47:11.539105+00:00", "last_seen": "2026-05-28T11:47:11.539105+00:00", "source_count": 1, "sources": [ { "source": "www.wiz.io", "url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs", "pub_date": "2026-05-28T11:47:11.539105+00:00" } ] }, { "type": "domain", "value": "5d14vnfb.space", "confidence": "high", "reason": "C2 server listed in malware analysis", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "domain", "value": "jeaw520i.space", "confidence": "high", "reason": "C2 server listed in malware analysis", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "domain", "value": "qdmagva5.space", "confidence": "high", "reason": "C2 server listed in malware analysis", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "domain", "value": "r7mvjl67.space", "confidence": "high", "reason": "C2 server listed in malware analysis", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "domain", "value": "zgj1tam9.space", "confidence": "high", "reason": "C2 server listed in malware analysis", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "ipv4", "value": "107.172.212.235", "confidence": "high", "reason": "C2 server used for configuration retrieval", "first_seen": "2026-05-28T06:55:11+00:00", "last_seen": "2026-05-28T06:55:11+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/video-books-pirates-miners-rat/119943/", "pub_date": "2026-05-28T06:55:11+00:00" } ] }, { "type": "ipv4", "value": "217.69.3.218", "confidence": "high", "reason": "C2 server used for malware payload delivery", "first_seen": "2026-05-27T18:16:27.322097+00:00", "last_seen": "2026-05-27T18:16:27.322097+00:00", "source_count": 1, "sources": [ { "source": "www.koi.ai", "url": "https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace", "pub_date": "2026-05-27T18:16:27.322097+00:00" } ] }, { "type": "ipv4", "value": "77.83.39.211", "confidence": "high", "reason": "C2 server mentioned in context", "first_seen": "2026-05-27T08:17:55.911877+00:00", "last_seen": "2026-05-27T08:17:55.911877+00:00", "source_count": 1, "sources": [ { "source": "www.fortinet.com", "url": "https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data", "pub_date": "2026-05-27T08:17:55.911877+00:00" } ] }, { "type": "ipv4", "value": "216.126.225.129", "confidence": "high", "reason": "C2 server used for exfiltration in the campaign", "first_seen": "2026-05-22T19:02:47.885111+00:00", "last_seen": "2026-05-26T21:46:45.353786+00:00", "source_count": 2, "sources": [ { "source": "safedep.io", "url": "https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/?ref=frontenddogma.com", "pub_date": "2026-05-26T21:46:45.353786+00:00" }, { "source": "Csoonline", "url": "https://www.csoonline.com/article/4177124/github-actions-abused-by-megalodon-attack-to-slip-malicious-commits-into-5500-repos.html", "pub_date": "2026-05-26T14:02:09+00:00" } ] }, { "type": "domain", "value": "claudecode.co.com", "confidence": "high", "reason": "Attacker-controlled domain observed in the context of impersonation.", "first_seen": "2026-05-26T09:19:18+00:00", "last_seen": "2026-05-26T09:19:18+00:00", "source_count": 1, "sources": [ { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/seo-poisoning-distributes-fake-gemini-and-claude-installers-34ef26bf", "pub_date": "2026-05-26T09:19:18+00:00" } ] }, { "type": "domain", "value": "claude-setup.com", "confidence": "high", "reason": "Attacker-controlled domain observed in the context of impersonation.", "first_seen": "2026-05-26T09:19:18+00:00", "last_seen": "2026-05-26T09:19:18+00:00", "source_count": 1, "sources": [ { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/seo-poisoning-distributes-fake-gemini-and-claude-installers-34ef26bf", "pub_date": "2026-05-26T09:19:18+00:00" } ] }, { "type": "domain", "value": "geminicli.co.com", "confidence": "high", "reason": "Attacker-controlled domain observed in the context of impersonation.", "first_seen": "2026-05-26T09:19:18+00:00", "last_seen": "2026-05-26T09:19:18+00:00", "source_count": 1, "sources": [ { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/seo-poisoning-distributes-fake-gemini-and-claude-installers-34ef26bf", "pub_date": "2026-05-26T09:19:18+00:00" } ] }, { "type": "domain", "value": "gemini-setup.com", "confidence": "high", "reason": "Attacker-controlled domain observed in the context of impersonation.", "first_seen": "2026-05-26T09:19:18+00:00", "last_seen": "2026-05-26T09:19:18+00:00", "source_count": 1, "sources": [ { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/seo-poisoning-distributes-fake-gemini-and-claude-installers-34ef26bf", "pub_date": "2026-05-26T09:19:18+00:00" } ] }, { "type": "domain", "value": "ransomed.vc", "confidence": "high", "reason": "Domain claimed to be operated by an extortion group involved in a breach", "first_seen": "2026-05-24T00:17:56.411240+00:00", "last_seen": "2026-05-24T00:17:56.411240+00:00", "source_count": 1, "sources": [ { "source": "www.gamescreed.com", "url": "https://www.gamescreed.com/news/is-psn-hacked-again", "pub_date": "2026-05-24T00:17:56.41124+00:00" } ] }, { "type": "domain", "value": "1vpns.com", "confidence": "high", "reason": "Seized domain associated with criminal infrastructure", "first_seen": "2026-05-21T14:03:44+00:00", "last_seen": "2026-05-22T15:48:30.403583+00:00", "source_count": 7, "sources": [ { "source": "www.bitdefender.com", "url": "https://www.bitdefender.com/en-us/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T15:48:30.403583+00:00" }, { "source": "Thecyberexpress", "url": "https://thecyberexpress.com/first-vpn-service-seized/", "pub_date": "2026-05-22T08:17:08+00:00" }, { "source": "Bitdefender", "url": "https://www.bitdefender.com/en-gb/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T03:39:29+00:00" }, { "source": "Cyberscoop", "url": "https://cyberscoop.com/europol-take-down-first-vpn-cybercrime/", "pub_date": "2026-05-21T16:05:35+00:00" }, { "source": "Infosecurity-Magazine", "url": "https://www.infosecurity-magazine.com/news/first-vpn-takedown-europol/", "pub_date": "2026-05-21T15:30:00+00:00" } ] }, { "type": "domain", "value": "1vpns.net", "confidence": "high", "reason": "Seized domain associated with criminal infrastructure", "first_seen": "2026-05-21T14:36:00+00:00", "last_seen": "2026-05-22T15:48:30.403583+00:00", "source_count": 6, "sources": [ { "source": "www.bitdefender.com", "url": "https://www.bitdefender.com/en-us/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T15:48:30.403583+00:00" }, { "source": "Thecyberexpress", "url": "https://thecyberexpress.com/first-vpn-service-seized/", "pub_date": "2026-05-22T08:17:08+00:00" }, { "source": "Bitdefender", "url": "https://www.bitdefender.com/en-gb/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T03:39:29+00:00" }, { "source": "Cyberscoop", "url": "https://cyberscoop.com/europol-take-down-first-vpn-cybercrime/", "pub_date": "2026-05-21T16:05:35+00:00" }, { "source": "Infosecurity-Magazine", "url": "https://www.infosecurity-magazine.com/news/first-vpn-takedown-europol/", "pub_date": "2026-05-21T15:30:00+00:00" } ] }, { "type": "domain", "value": "1vpns.org", "confidence": "high", "reason": "Seized domain associated with criminal infrastructure", "first_seen": "2026-05-21T14:36:00+00:00", "last_seen": "2026-05-22T15:48:30.403583+00:00", "source_count": 6, "sources": [ { "source": "www.bitdefender.com", "url": "https://www.bitdefender.com/en-us/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T15:48:30.403583+00:00" }, { "source": "Thecyberexpress", "url": "https://thecyberexpress.com/first-vpn-service-seized/", "pub_date": "2026-05-22T08:17:08+00:00" }, { "source": "Bitdefender", "url": "https://www.bitdefender.com/en-gb/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown", "pub_date": "2026-05-22T03:39:29+00:00" }, { "source": "Cyberscoop", "url": "https://cyberscoop.com/europol-take-down-first-vpn-cybercrime/", "pub_date": "2026-05-21T16:05:35+00:00" }, { "source": "Infosecurity-Magazine", "url": "https://www.infosecurity-magazine.com/news/first-vpn-takedown-europol/", "pub_date": "2026-05-21T15:30:00+00:00" } ] }, { "type": "domain", "value": "runner.bw", "confidence": "high", "reason": "Referenced as a malicious component associated with NosyStealer", "first_seen": "2026-05-21T22:33:23.622299+00:00", "last_seen": "2026-05-21T22:33:23.622299+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/", "pub_date": "2026-05-21T22:33:23.622299+00:00" } ] }, { "type": "domain", "value": "l1ewsu3yjkqeroy.xyz", "confidence": "high", "reason": "C2 server used in supply chain attack", "first_seen": "2026-05-21T11:04:03+00:00", "last_seen": "2026-05-21T11:04:03+00:00", "source_count": 1, "sources": [ { "source": "Technadu", "url": "https://www.technadu.com/compromised-art-template-npm-package-delivers-coruna-like-ios-exploit/628212/", "pub_date": "2026-05-21T11:04:03+00:00" } ] }, { "type": "domain", "value": "mamont.jo", "confidence": "high", "reason": "Malicious domain associated with banking trojan attacks", "first_seen": "2026-05-20T21:01:54+00:00", "last_seen": "2026-05-20T21:01:54+00:00", "source_count": 1, "sources": [ { "source": "Vocal.Media", "url": "https://vocal.media/01/how-smartphones-get-hacked-the-2026-threat-landscape-you-need-to-understand", "pub_date": "2026-05-20T21:01:54+00:00" } ] }, { "type": "domain", "value": "attacker-host.com", "confidence": "high", "reason": "C2 server used in attack scenario", "first_seen": "2026-05-20T20:47:00.269511+00:00", "last_seen": "2026-05-20T20:47:00.269511+00:00", "source_count": 1, "sources": [ { "source": "oddguan.com", "url": "https://oddguan.com/blog/second-time-same-sandbox-anthropic-claude-code-network-allowlist-bypass-data-exfiltration/", "pub_date": "2026-05-20T20:47:00.269511+00:00" } ] }, { "type": "domain", "value": "proxy.ae", "confidence": "high", "reason": "Mentioned as a tool used by threat actor", "first_seen": "2026-05-20T14:21:46+00:00", "last_seen": "2026-05-20T14:21:46+00:00", "source_count": 1, "sources": [ { "source": "Welivesecurity", "url": "https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/", "pub_date": "2026-05-20T14:21:46+00:00" } ] }, { "type": "domain", "value": "check.git-service.com", "confidence": "high", "reason": "C2 infrastructure mentioned in context", "first_seen": "2026-05-19T18:00:09+00:00", "last_seen": "2026-05-19T21:36:40+00:00", "source_count": 3, "sources": [ { "source": "Wiz", "url": "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack", "pub_date": "2026-05-19T21:36:40+00:00" }, { "source": "Endorlabs", "url": "https://www.endorlabs.com/learn/trojanized-microsoft-sdk-durabletask-1-4-1-through-1-4-3-deliver-credential-stealing-malware", "pub_date": "2026-05-19T18:58:54+00:00" }, { "source": "Aikido.Dev", "url": "https://www.aikido.dev/blog/durabletask-package-compromised-mini-shai-hulud", "pub_date": "2026-05-19T18:00:09+00:00" } ] }, { "type": "domain", "value": "artemislab.cc", "confidence": "high", "reason": "Linked to suspicious cryptocurrency transactions and a dark web narcotics marketplace", "first_seen": "2026-05-19T12:13:26+00:00", "last_seen": "2026-05-19T13:49:51+00:00", "source_count": 2, "sources": [ { "source": "Thehansindia", "url": "https://www.thehansindia.com/news/national/gujarat-rs-226-crore-dirty-crypto-network-buste-hamas-houthi-and-uk-drug-trade-links-found-1077317", "pub_date": "2026-05-19T13:49:51+00:00" }, { "source": "Deshgujarat", "url": "https://deshgujarat.com/2026/05/19/gujarat-police-busts-%E2%82%B9226-crore-crypto-syndicate-9-held-over-terror-funding-dark-web-links/", "pub_date": "2026-05-19T12:13:26+00:00" } ] }, { "type": "ipv4", "value": "87.96.21.84", "confidence": "high", "reason": "C2 server used to deliver malware", "first_seen": "2026-05-19T13:07:58+00:00", "last_seen": "2026-05-19T13:07:58+00:00", "source_count": 1, "sources": [ { "source": "Bitdefender", "url": "https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows", "pub_date": "2026-05-19T13:07:58+00:00" } ] }, { "type": "domain", "value": "triada.ag", "confidence": "high", "reason": "Pre-installed backdoor identified as mobile malware", "first_seen": "2026-05-18T13:16:42+00:00", "last_seen": "2026-05-18T13:16:42+00:00", "source_count": 1, "sources": [ { "source": "Technadu", "url": "https://www.technadu.com/q1-2026-android-threat-landscape-banking-trojans-triada-ag-backdoor-surge/627952/", "pub_date": "2026-05-18T13:16:42+00:00" } ] }, { "type": "ipv4", "value": "20.17.161.118", "confidence": "high", "reason": "C2 server used to orchestrate attacks", "first_seen": "2026-05-18T09:30:49+00:00", "last_seen": "2026-05-18T09:30:49+00:00", "source_count": 1, "sources": [ { "source": "Gbhackers", "url": "https://gbhackers.com/hackers-abuse-cloudflare-storage/", "pub_date": "2026-05-18T09:30:49+00:00" } ] }, { "type": "domain", "value": "nats.io", "confidence": "high", "reason": "C2 server used for hosting malware command-and-control infrastructure", "first_seen": "2026-05-15T01:58:16+00:00", "last_seen": "2026-05-15T01:58:16+00:00", "source_count": 1, "sources": [ { "source": "News.Risky.Biz", "url": "https://news.risky.biz/risky-bulletin-shai-hulud-goes-open-source/", "pub_date": "2026-05-15T01:58:16+00:00" } ] }, { "type": "domain", "value": "mickeymousegamesdealer.al", "confidence": "high", "reason": "C2 server used by threat actor", "first_seen": "2026-05-14T12:39:03+00:00", "last_seen": "2026-05-14T12:39:03+00:00", "source_count": 1, "sources": [ { "source": "Welivesecurity", "url": "https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/", "pub_date": "2026-05-14T12:39:03+00:00" } ] }, { "type": "domain", "value": "trojandropper.fr", "confidence": "high", "reason": "Malware delivery domain", "first_seen": "2026-05-14T12:39:03+00:00", "last_seen": "2026-05-14T12:39:03+00:00", "source_count": 1, "sources": [ { "source": "Welivesecurity", "url": "https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/", "pub_date": "2026-05-14T12:39:03+00:00" } ] }, { "type": "ipv4", "value": "45.192.109.25", "confidence": "high", "reason": "C2 server used to coordinate worker nodes", "first_seen": "2026-05-14T11:53:46+00:00", "last_seen": "2026-05-14T11:53:46+00:00", "source_count": 1, "sources": [ { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/langflow-exploited-to-steal-aws-keys-and-deploy-nats-worker-2c4f3223", "pub_date": "2026-05-14T11:53:46+00:00" } ] }, { "type": "ipv4", "value": "154.223.58.142", "confidence": "high", "reason": "Attacker IP address used for C2", "first_seen": "2026-05-14T11:12:20+00:00", "last_seen": "2026-05-14T11:12:20+00:00", "source_count": 1, "sources": [ { "source": "Darktrace", "url": "https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor", "pub_date": "2026-05-14T11:12:20+00:00" } ] }, { "type": "domain", "value": "kro.kr", "confidence": "high", "reason": "Domain used to create C2 servers for PebbleDash and AppleSeed clusters", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "morames.r-e.kr", "confidence": "high", "reason": "Domain used as C2 for AppleSeed", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "n-e.kr", "confidence": "high", "reason": "Domain used to create C2 servers for PebbleDash and AppleSeed clusters", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "opedromos1.r-e.kr", "confidence": "high", "reason": "Domain used as C2 for AppleSeed", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "o-r.kr", "confidence": "high", "reason": "Domain used to create C2 servers for PebbleDash and AppleSeed clusters", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "p-e.kr", "confidence": "high", "reason": "Domain used to create C2 servers for PebbleDash and AppleSeed clusters", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "r-e.kr", "confidence": "high", "reason": "Domain used to create C2 servers for PebbleDash and AppleSeed clusters", "first_seen": "2026-05-14T11:00:58+00:00", "last_seen": "2026-05-14T11:00:58+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/", "pub_date": "2026-05-14T11:00:58+00:00" } ] }, { "type": "domain", "value": "agent.bi", "confidence": "high", "reason": "Referenced as part of a malicious webshell", "first_seen": "2026-05-13T14:34:51.437013+00:00", "last_seen": "2026-05-13T14:34:51.437013+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/", "pub_date": "2026-05-13T14:34:51.437013+00:00" } ] }, { "type": "domain", "value": "dropper.agent.gi", "confidence": "high", "reason": "Described as a Python-compiled dropper for Spearal", "first_seen": "2026-05-13T14:34:51.437013+00:00", "last_seen": "2026-05-13T14:34:51.437013+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/", "pub_date": "2026-05-13T14:34:51.437013+00:00" } ] }, { "type": "domain", "value": "gov-iq.net", "confidence": "high", "reason": "Used for executing commands via compromised email accounts", "first_seen": "2026-05-13T14:34:50.109085+00:00", "last_seen": "2026-05-13T14:34:50.109085+00:00", "source_count": 1, "sources": [ { "source": "research.checkpoint.com", "url": "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/", "pub_date": "2026-05-13T14:34:50.109085+00:00" } ] }, { "type": "domain", "value": "runner.ec", "confidence": "high", "reason": "Malware delivery domain associated with modified Spark RAT", "first_seen": "2026-05-13T13:02:09.007681+00:00", "last_seen": "2026-05-13T13:02:09.007681+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/", "pub_date": "2026-05-13T13:02:09.007681+00:00" } ] }, { "type": "domain", "value": "runner.lk", "confidence": "high", "reason": "Loader for modular SparrowDoor", "first_seen": "2026-05-13T13:02:09.007681+00:00", "last_seen": "2026-05-13T13:02:09.007681+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/", "pub_date": "2026-05-13T13:02:09.007681+00:00" } ] }, { "type": "domain", "value": "webshell.se", "confidence": "high", "reason": "Webshell associated with FamousSparrow", "first_seen": "2026-05-13T13:02:09.007681+00:00", "last_seen": "2026-05-13T13:02:09.007681+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/", "pub_date": "2026-05-13T13:02:09.007681+00:00" } ] }, { "type": "ipv4", "value": "83.142.209.194", "confidence": "high", "reason": "C2 server used to download secondary payload", "first_seen": "2026-05-12T14:46:50+00:00", "last_seen": "2026-05-13T03:09:46+00:00", "source_count": 2, "sources": [ { "source": "Mexc", "url": "https://www.mexc.com/news/1085683", "pub_date": "2026-05-13T03:09:46+00:00" }, { "source": "Letsdatascience", "url": "https://letsdatascience.com/news/mistralai-pypi-package-delivers-credential-stealing-malware-b0e4f3e6", "pub_date": "2026-05-12T14:46:50+00:00" } ] }, { "type": "domain", "value": "cloudservbr.com", "confidence": "high", "reason": "C&C domain communications of SHADOW-AETHER-064", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "domain", "value": "infra-telemetry.com", "confidence": "high", "reason": "C&C domain communications of SHADOW-AETHER-064", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "155.133.27.198", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-040", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "159.65.202.204", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-040", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "165.22.184.26", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-040", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "167.148.195.53", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-064", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "167.172.38.123", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-040", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "209.99.185.221", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-064", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "209.99.185.223", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-064", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "ipv4", "value": "62.171.185.97", "confidence": "high", "reason": "C&C communications of SHADOW-AETHER-040", "first_seen": "2026-05-11T17:00:40+00:00", "last_seen": "2026-05-11T20:53:55+00:00", "source_count": 1, "sources": [ { "source": "Trendmicro", "url": "https://www.trendmicro.com/de_de/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html", "pub_date": "2026-05-11T20:53:55+00:00" } ] }, { "type": "domain", "value": "tronfind-api.tronfindexplorer.com", "confidence": "high", "reason": "Identified as a fake wallet with credential theft capabilities", "first_seen": "2026-05-11T12:18:20.993347+00:00", "last_seen": "2026-05-11T12:18:20.993347+00:00", "source_count": 1, "sources": [ { "source": "slowmist.medium.com", "url": "https://slowmist.medium.com/threat-intelligence-analysis-of-a-fake-tronlink-chrome-extension-phishing-campaign-768e8c0e8fb6", "pub_date": "2026-05-11T12:18:20.993347+00:00" } ] }, { "type": "domain", "value": "trx-scan-explorer.org", "confidence": "high", "reason": "Indicates phishing strategy for specific regions", "first_seen": "2026-05-11T12:18:20.993347+00:00", "last_seen": "2026-05-11T12:18:20.993347+00:00", "source_count": 1, "sources": [ { "source": "slowmist.medium.com", "url": "https://slowmist.medium.com/threat-intelligence-analysis-of-a-fake-tronlink-chrome-extension-phishing-campaign-768e8c0e8fb6", "pub_date": "2026-05-11T12:18:20.993347+00:00" } ] }, { "type": "domain", "value": "legitserver.theworkpc.com", "confidence": "high", "reason": "Referenced as part of attacker-controlled C2 infrastructure.", "first_seen": "2026-05-09T20:18:53+00:00", "last_seen": "2026-05-09T20:18:53+00:00", "source_count": 1, "sources": [ { "source": "Cyfirma", "url": "https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/", "pub_date": "2026-05-09T20:18:53+00:00" } ] }, { "type": "ipv4", "value": "45.138.16.64", "confidence": "high", "reason": "Confirmed as attacker-controlled ScreenConnect C2 infrastructure.", "first_seen": "2026-05-09T20:18:53+00:00", "last_seen": "2026-05-09T20:18:53+00:00", "source_count": 1, "sources": [ { "source": "Cyfirma", "url": "https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/", "pub_date": "2026-05-09T20:18:53+00:00" } ] }, { "type": "domain", "value": "onmicrosoft.com", "confidence": "high", "reason": "Domain used in phishing campaign targeting Office 365 users", "first_seen": "2026-05-07T21:48:33.900181+00:00", "last_seen": "2026-05-07T21:48:33.900181+00:00", "source_count": 1, "sources": [ { "source": "redsift.com", "url": "https://redsift.com/guides/beyond-dmarc-guide-layered-defense-against-domain-impersonation", "pub_date": "2026-05-07T21:48:33.900181+00:00" } ] }, { "type": "domain", "value": "yourcornpany.com", "confidence": "high", "reason": "Typosquatting domain used in phishing attacks", "first_seen": "2026-05-07T21:48:33.900181+00:00", "last_seen": "2026-05-07T21:48:33.900181+00:00", "source_count": 1, "sources": [ { "source": "redsift.com", "url": "https://redsift.com/guides/beyond-dmarc-guide-layered-defense-against-domain-impersonation", "pub_date": "2026-05-07T21:48:33.900181+00:00" } ] }, { "type": "domain", "value": "micro-soft.com", "confidence": "high", "reason": "Lookalike domain used in phishing schemes", "first_seen": "2026-05-07T21:00:50+00:00", "last_seen": "2026-05-07T21:00:50+00:00", "source_count": 1, "sources": [ { "source": "Scworld", "url": "https://www.scworld.com/resource/beyond-the-inbox-why-your-domain-and-social-media-are-the-next-front-lines", "pub_date": "2026-05-07T21:00:50+00:00" } ] }, { "type": "domain", "value": "bskke4.dnslog.cn", "confidence": "high", "reason": "Malware drop and execution detected via DNS lookup", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "domain", "value": "dnslog.cn", "confidence": "high", "reason": "DNS exfiltration associated with malicious activity", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "ipv4", "value": "111.90.145.139", "confidence": "high", "reason": "Operator focused on cloud credentials across multiple sessions", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "ipv4", "value": "203.10.98.186", "confidence": "high", "reason": "Used DNS-based out-of-band confirmation for RCE", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "ipv4", "value": "38.147.173.172", "confidence": "high", "reason": "Deploys NKAbuse variant via HuggingFace Spaces", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "ipv4", "value": "92.208.115.60", "confidence": "high", "reason": "Conducted sessions reading sensitive files for credential harvesting", "first_seen": "2026-05-07T10:48:12.654168+00:00", "last_seen": "2026-05-07T10:48:12.654168+00:00", "source_count": 1, "sources": [ { "source": "www.sysdig.com", "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface", "pub_date": "2026-05-07T10:48:12.654168+00:00" } ] }, { "type": "domain", "value": "dns-providersa2.com", "confidence": "high", "reason": "C2 domain associated with malicious activity", "first_seen": "2026-05-07T07:44:23+00:00", "last_seen": "2026-05-07T07:44:23+00:00", "source_count": 1, "sources": [ { "source": "Technadu", "url": "https://www.technadu.com/malicious-nuget-packages-target-chinese-net-ecosystem-developers/627373/", "pub_date": "2026-05-07T07:44:23+00:00" } ] }, { "type": "domain", "value": "forest-entityl.cc", "confidence": "high", "reason": "Malicious domain associated with malware activity", "first_seen": "2026-05-07T07:05:29+00:00", "last_seen": "2026-05-07T07:05:29+00:00", "source_count": 1, "sources": [ { "source": "Allafrica", "url": "https://allafrica.com/stories/202605070027.html", "pub_date": "2026-05-07T07:05:29+00:00" } ] }, { "type": "domain", "value": "backward.so", "confidence": "high", "reason": "Malware delivery domain for ZiChatBot", "first_seen": "2026-05-06T13:00:34+00:00", "last_seen": "2026-05-06T13:00:34+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/", "pub_date": "2026-05-06T13:00:34+00:00" } ] }, { "type": "domain", "value": "terminate.so", "confidence": "high", "reason": "Malware delivery domain for ZiChatBot", "first_seen": "2026-05-06T13:00:34+00:00", "last_seen": "2026-05-06T13:00:34+00:00", "source_count": 1, "sources": [ { "source": "Securelist", "url": "https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/", "pub_date": "2026-05-06T13:00:34+00:00" } ] }, { "type": "domain", "value": "grantallarddata.com", "confidence": "high", "reason": "Identified as malicious and used in the campaign", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "domain", "value": "hosted-by.yeezyhost.net", "confidence": "high", "reason": "Used by RedLine Stealer variants", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "domain", "value": "kvk-blank-login.mediainsightsgroup.com", "confidence": "high", "reason": "Registered malicious by multiple AV vendors", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "domain", "value": "leatherupcorp.com", "confidence": "high", "reason": "Registered malicious by multiple AV vendors", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "domain", "value": "mediainsightsgroup.com", "confidence": "high", "reason": "Registered malicious by multiple AV vendors", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "ipv4", "value": "77.91.68.141", "confidence": "high", "reason": "Identified as a primary command and control node", "first_seen": "2026-05-05T20:36:53.025035+00:00", "last_seen": "2026-05-05T20:36:53.025035+00:00", "source_count": 1, "sources": [ { "source": "blog.eclecticiq.com", "url": "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", "pub_date": "2026-05-05T20:36:53.025035+00:00" } ] }, { "type": "domain", "value": "1980food.co", "confidence": "high", "reason": "Compromised South Korean site used to host Android BirdCall configuration.", "first_seen": "2026-05-05T15:17:23.348854+00:00", "last_seen": "2026-05-05T15:17:23.348854+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "pub_date": "2026-05-05T15:17:23.348854+00:00" } ] }, { "type": "domain", "value": "cndsoft.co", "confidence": "high", "reason": "Compromised South Korean site used to host shellcode.", "first_seen": "2026-05-05T15:17:23.348854+00:00", "last_seen": "2026-05-05T15:17:23.348854+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "pub_date": "2026-05-05T15:17:23.348854+00:00" } ] }, { "type": "domain", "value": "colorncopy.co", "confidence": "high", "reason": "Compromised South Korean site used to host shellcode.", "first_seen": "2026-05-05T15:17:23.348854+00:00", "last_seen": "2026-05-05T15:17:23.348854+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "pub_date": "2026-05-05T15:17:23.348854+00:00" } ] }, { "type": "domain", "value": "sqgame.com", "confidence": "high", "reason": "Compromised sqgame site hosting trojanized games and malicious updates.", "first_seen": "2026-05-05T15:17:23.348854+00:00", "last_seen": "2026-05-05T15:17:23.348854+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "pub_date": "2026-05-05T15:17:23.348854+00:00" } ] }, { "type": "domain", "value": "swr.co", "confidence": "high", "reason": "Compromised South Korean site used to host shellcode.", "first_seen": "2026-05-05T15:17:23.348854+00:00", "last_seen": "2026-05-05T15:17:23.348854+00:00", "source_count": 1, "sources": [ { "source": "www.welivesecurity.com", "url": "https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/", "pub_date": "2026-05-05T15:17:23.348854+00:00" } ] }, { "type": "ipv4", "value": "47.83.8.198", "confidence": "high", "reason": "Associated with malicious activity related to FINALDRAFT", "first_seen": "2026-05-05T10:16:26.273805+00:00", "last_seen": "2026-05-05T10:16:26.273805+00:00", "source_count": 1, "sources": [ { "source": "www.elastic.co", "url": "https://www.elastic.co/security-labs/fragile-web-ref7707", "pub_date": "2026-05-05T10:16:26.273805+00:00" } ] }, { "type": "domain", "value": "notepad-plus-plus-mac.org", "confidence": "high", "reason": "Domain associated with a malicious site misleading users to download malware", "first_seen": "2026-05-05T08:22:56+00:00", "last_seen": "2026-05-05T08:22:56+00:00", "source_count": 1, "sources": [ { "source": "Cybersecuritynews", "url": "https://cybersecuritynews.com/beware-of-fake-notepad-for-mac-website/", "pub_date": "2026-05-05T08:22:56+00:00" } ] } ], "license": "CC-BY 4.0 \u2014 attribute ThreatCluster (https://threatcluster.io)", "report_false_positive": "hello@threatcluster.io" }