Pulse Detail — Threat Intelligence

PULSE NAME

OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce

WHITE pduggusa 2025-12-28 Modified: 2026-01-27

151

IOCs

HIGH VOLUME

Automated OSINT sweep from ThreatFox. Top malware: ClearFake(101), Unknown malware(86), DragonForce(34), AsyncRAT(33), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep→volley automation.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1189 T1204.002 T1566.002 T1071.001 T1105 T1059.001 T1219 T1056.001 T1055 T1027

MALWARE FAMILIES

ClearFake Unknown malware DragonForce AsyncRAT Meterpreter

Indicators of Compromise (151)

All hostname URL domain FileHash-MD5

TYPE	INDICATOR	DESCRIPTION	CREATED
hostname	nationalwaste.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	9850.cn.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	hym.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	epta.eu.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	name.sa.com	ThreatFox: DCRat - botnet_cc	2025-12-28
hostname	elt.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	356gfbo3to.gb.net	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	fitspresso.co.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	mosmet.ru.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	ksi.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	zn3foc66.skyc0rest.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
URL	http://130.12.180.20:36695/cat.sh	ThreatFox: Unknown malware - payload_delivery	2025-12-28
hostname	vhe65fgx.skyc0rest.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	ad4wlprk.skyc0rest.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	l1etjecz.skyc0rest.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	ixwuvljz.windb1rd.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	xndpt67e.windb1rd.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
URL	https://20.92.160.27/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://54.197.245.249/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://216.172.170.236/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://173.254.106.143/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://172.191.195.85/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://41.216.188.41/login	ThreatFox: Unknown malware - botnet_cc	2025-12-28
URL	http://91.215.85.42:3003/login	ThreatFox: Unknown malware - botnet_cc	2025-12-28
hostname	c5r0ty9b.windb1rd.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	mi4ny8w7.windb1rd.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	0ucxq0mx.bluef0x.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	igbpzyhe.bluef0x.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	9pm93zo8.br1ghtf0rm.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	a2.nbdsnb2.top	ThreatFox: FatalRat - botnet_cc	2025-12-28
hostname	nmm9i8ce.br1ghtf0rm.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	ei353i4i.br1ghtf0rm.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	x5v04q4u.br1ghtf0rm.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	nanocoreee.ddns.net	ThreatFox: Nanocore RAT - botnet_cc	2025-12-28
hostname	cybergaat.ddns.net	ThreatFox: Nanocore RAT - botnet_cc	2025-12-28
hostname	mm-includes.gl.at.ply.gg	ThreatFox: SpyNote - botnet_cc	2025-12-28
URL	http://216.250.248.176	ThreatFox: Stealc - botnet_cc	2025-12-28
hostname	kidplay.gleeze.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	tutr54756754u6-64430.portmap.host	ThreatFox: XWorm - botnet_cc	2025-12-28
URL	http://38.47.238.110:8888/supershell/login/	ThreatFox: Unknown malware - botnet_cc	2025-12-28
URL	https://81.177.139.97/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://43.135.162.33/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://gamify.in.net/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	http://gamify.in.net/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	http://xboxtelemetry-defender.cc/cvdfnaFJBmC2/index.php	ThreatFox: Amadey - botnet_cc	2025-12-28
URL	http://microsoft-telemetry.cc/cvdfnaFJBmC1/index.php	ThreatFox: Amadey - botnet_cc	2025-12-28
hostname	3ms7v0at.stormh1ll.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	llhl82wr.stormh1ll.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	2ah4j4gq.stormh1ll.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	fp57ddz7.stormh1ll.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	api.dyshop.online	ThreatFox: Cobalt Strike - botnet_cc	2025-12-28
hostname	tyr2to6g.cl0udpath.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	3ttsi6qg.cl0udpath.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	d2njqwvf.cl0udpath.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	u43n4xax.cl0udpath.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	pzskci29.shadowf1ow.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	zxa96eaf.shadowf1ow.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	cq10n3rg.shadowf1ow.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	69gnv9zp.shadowf1ow.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
domain	micesisters.xyz	ThreatFox: Unknown Loader - botnet_cc	2025-12-28
domain	hpkr.help	ThreatFox: Unknown RAT - botnet_cc	2025-12-28
hostname	suzoo.ryxuz.com	ThreatFox: Unknown malware - botnet_cc	2025-12-28
URL	http://178.16.54.87/uda/ph.php	ThreatFox: Unknown malware - botnet_cc	2025-12-28
domain	setkapls99.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
domain	setkapls88.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
domain	setkapls77.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
FileHash-MD5	ef846baabc14fe461cff4c4a0fd5056f	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	4566f5ba6d1a1db0dd7794ea8d791b3f	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	66ca089cd347d18ae8ab200a4e7602a5	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	45ac577dcbf721988b49768497ba3bb8	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	4b93b2341974f36c9e464632e94d68b3	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	826cc4ca915f9a49ec28b119a6655a5b	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	c9f3f7a6a36a43c295afa2352c97d1c3	ThreatFox: Nova Stealer - payload	2025-12-28
FileHash-MD5	05f1a39c0902297debceb4c9c4c6674c	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	e67e7b8e0fb6baff4f25bb05dd5a5e21	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	3a6e2c775c9c1060c54a9a94e80d923a	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	cd54780ee2213a05468fa0d24eedd576	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	91acae0fff5ecbf0b65c3ddebb5a824a	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	74a97d25595ad73129fa946dc3156cec	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	7ceeb2208a50b1ef61fdec935d66e992	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	8947dfad1fb06abd4a2bcffc7b54a2bd	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	12e22f588f6128cf1a042d1122556cd2	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	e4a4fc96188310b7b07e7c0525b5c0aa	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	2dd7cd2bf15eec7d62689435fca9c49c	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	e84270afa3030b48dc9e0c53a35c65aa	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	6241f16b5c466a46f925c0415ef38214	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	9a4889237b6aa74e819d60fadb869f51	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	8bcd83352bbd52ca7bda998a52dd0e5c	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	70569247c1a50277840141ce7ed19d3d	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	ada4e228e982a7e309bb6a3308e4872d	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	333d79fc5f5d53d7f4fa285d588982ff	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	027edad8db0e1abe6e88d073a9eb296a	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	3357b96f7baef169e28ed5a24ea79f59	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	1a13d520ee079d60c0c12062df8603a5	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	c835fbfaf4aff8e8c252bb0ef406ddeb	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	49874b7a63b6a46e3ec426a713d86b2a	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	1406e538fc441e89ce3d1747017f97a5	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	b8c046a7c3a28653662140bb2eaad32d	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	47808d596dab6ef8a05e529e1bf721ab	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	df802d7cfc8bd63e33d940ee99daed8d	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	c8a3953985d8d261bb3d48d2f3836d2b	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	57ba1e2960c1e866ce961acff1f8ae29	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	1300bacdbc80ac7237d36a91463756a5	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	2171911cad8f83f35b3699eaaf30331a	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	19d69e198f1b8888d07eb612f1c27fa8	ThreatFox: DragonForce - payload	2025-12-28
FileHash-MD5	2169e0dc6fbd8f8ca7b99a4e2125333b	ThreatFox: DragonForce - payload	2025-12-28
hostname	aacademica.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
URL	https://74.207.236.7/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://103.221.252.52/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://159.223.173.232/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://3.89.221.73/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://169.51.48.11/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
hostname	brightcleaners.uk.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
URL	http://130.12.180.20:59989/cat.sh	ThreatFox: Unknown malware - payload_delivery	2025-12-28
domain	sarkariexamresult.in.net	ThreatFox: Quasar RAT - botnet_cc	2025-12-28
URL	https://banlieuefashion.com/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
FileHash-MD5	770c1dc157226638f8ad1ac9669f4883	ThreatFox: DragonForce - payload	2025-12-28
URL	https://43.157.56.250/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://159.223.105.127/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
hostname	pyeyen.za.com	ThreatFox: Quasar RAT - botnet_cc	2025-12-28
hostname	tczflw.za.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
URL	https://124.70.99.232/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
hostname	beautifulbumps.testingweblink.com	ThreatFox: Havoc - botnet_cc	2025-12-28
hostname	ares.uplus.co.kr	ThreatFox: Ares - botnet_cc	2025-12-28
URL	https://128.199.43.211/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://44.203.141.243/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://188.213.173.204/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://72.167.140.158/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://66.39.143.145/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
domain	ok365.org	ThreatFox: Quasar RAT - botnet_cc	2025-12-28
hostname	nexus.ok365.org	ThreatFox: Quasar RAT - botnet_cc	2025-12-28
URL	https://152.118.148.122/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://34.94.123.143/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://54.179.129.7/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://202.74.75.181/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://79.174.93.250/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
URL	https://185.80.0.36/	ThreatFox: Unknown malware - payload_delivery	2025-12-28
hostname	dxyiz.sa.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	general-invention.sa.com	ThreatFox: AsyncRAT - botnet_cc	2025-12-28
hostname	78win.it.com	ThreatFox: Quasar RAT - botnet_cc	2025-12-28
domain	svis.in.net	ThreatFox: DCRat - botnet_cc	2025-12-28
hostname	yhlgut.za.com	ThreatFox: DCRat - botnet_cc	2025-12-28
hostname	a85k99xb.mistysh1eld.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	15eitnbq.mistysh1eld.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	i1i1jlwa.mistysh1eld.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	kkldicmk.mistysh1eld.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	y5i3tc1t.stormc1oud.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	lkgapm4v.stormc1oud.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	ncwg03c0.stormc1oud.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
hostname	zye0i6nx.stormc1oud.ru	ThreatFox: ClearFake - payload_delivery	2025-12-28
domain	yandi9988.com	ThreatFox: ValleyRAT - botnet_cc	2025-12-28

References (2)

↗ https://analytics.dugganusa.com/api/v1/stix-feed/v2 ↗ https://threatfox.abuse.ch