← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce
Automated OSINT sweep from ThreatFox. Top malware: ClearFake(89), Unknown malware(85), DragonForce(34), AsyncRAT(33), Mirai(27). Source: abuse.ch ThreatFox API. SSL enriched: 51 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep→volley automation.
MITRE ATT&CK & Malware Families
Indicators of Compromise (125)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://westpointwelbyplay.info:8080/updater?for=0AA6B9F07A5B27B2069C137C69EC91EB | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| hostname | hhu.uk.com | ThreatFox: Quasar RAT - botnet_cc | 2025-12-28 | |
| hostname | mjo.uk.com | ThreatFox: Quasar RAT - botnet_cc | 2025-12-28 | |
| hostname | ervy2cgl.deepc0ve.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 7ozcjgwc.deepc0ve.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | uy8h00ja.deepc0ve.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 6ig14p8a.deepc0ve.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 44471.jp.net | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | login.44471.jp.net | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| domain | paopao.fit | ThreatFox: ValleyRAT - botnet_cc | 2025-12-28 | |
| hostname | draft23.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | bot.johenlg.cloud | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | draft22.bounceme.net | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | reish8ohp1z.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | lited.myftp.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | yukivela.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | aeceze9o.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | cnc.kamill.fr | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | rc.b6ce.com | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | catelcro.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | katana.chernobyl.network | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | pma.jarry.onl | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | scan.kamill.fr | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | verykakaka.frii.site | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | bobnet.chernobyl.network | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | alanbotnet.dpdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | lizadesm.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | fishertriv.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | cnc.nijasec.io | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | cahngee2lei.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | aineeng9th.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | frohncrop77.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | draft22.zapto.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | uut5ooy7a.duckdns.org | ThreatFox: Mirai - botnet_cc | 2025-12-28 | |
| hostname | pantera.no-ip.biz | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| URL | http://mobiportal.at/itezlthrf5m | ThreatFox: TrickMo - botnet_cc | 2025-12-28 | |
| URL | http://193.143.1.138/negxsh3dy1mdkqphuc | ThreatFox: TrickMo - botnet_cc | 2025-12-28 | |
| hostname | spasm.no-ip.org | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| hostname | nikokaramia.no-ip.org | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| hostname | ppservr.dyndns.biz | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| hostname | erayapk.duckdns.org | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| hostname | missczarny.no-ip.biz | ThreatFox: DarkComet - botnet_cc | 2025-12-28 | |
| hostname | hackerhazem1.no-ip.info | ThreatFox: CyberGate - botnet_cc | 2025-12-28 | |
| hostname | jackweb15.ddns.net | ThreatFox: CyberGate - botnet_cc | 2025-12-28 | |
| hostname | rektbynesho8.chickenkiller.com | ThreatFox: Nanocore RAT - botnet_cc | 2025-12-28 | |
| hostname | 127.0.0.1rektbynesho8.chickenkiller.com | ThreatFox: Nanocore RAT - botnet_cc | 2025-12-28 | |
| URL | http://196.251.107.31 | ThreatFox: Stealc - botnet_cc | 2025-12-28 | |
| URL | http://178.17.59.22 | ThreatFox: Stealc - botnet_cc | 2025-12-28 | |
| URL | https://soundtu.sbs/api | ThreatFox: Lumma Stealer - botnet_cc | 2025-12-28 | |
| URL | https://atalowh.sbs/api | ThreatFox: Lumma Stealer - botnet_cc | 2025-12-28 | |
| hostname | nationalwaste.uk.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | 9850.cn.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | hym.uk.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | epta.eu.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | name.sa.com | ThreatFox: DCRat - botnet_cc | 2025-12-28 | |
| hostname | elt.uk.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | 356gfbo3to.gb.net | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | fitspresso.co.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | mosmet.ru.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | ksi.uk.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | zn3foc66.skyc0rest.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| URL | http://130.12.180.20:36695/cat.sh | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| hostname | vhe65fgx.skyc0rest.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | ad4wlprk.skyc0rest.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | l1etjecz.skyc0rest.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | ixwuvljz.windb1rd.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | xndpt67e.windb1rd.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| URL | https://20.92.160.27/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://54.197.245.249/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://216.172.170.236/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://173.254.106.143/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://172.191.195.85/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://41.216.188.41/login | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| URL | http://91.215.85.42:3003/login | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| hostname | c5r0ty9b.windb1rd.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | mi4ny8w7.windb1rd.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 0ucxq0mx.bluef0x.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | igbpzyhe.bluef0x.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 9pm93zo8.br1ghtf0rm.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | a2.nbdsnb2.top | ThreatFox: FatalRat - botnet_cc | 2025-12-28 | |
| hostname | nmm9i8ce.br1ghtf0rm.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | ei353i4i.br1ghtf0rm.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | x5v04q4u.br1ghtf0rm.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | nanocoreee.ddns.net | ThreatFox: Nanocore RAT - botnet_cc | 2025-12-28 | |
| hostname | cybergaat.ddns.net | ThreatFox: Nanocore RAT - botnet_cc | 2025-12-28 | |
| hostname | mm-includes.gl.at.ply.gg | ThreatFox: SpyNote - botnet_cc | 2025-12-28 | |
| URL | http://216.250.248.176 | ThreatFox: Stealc - botnet_cc | 2025-12-28 | |
| hostname | kidplay.gleeze.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| hostname | tutr54756754u6-64430.portmap.host | ThreatFox: XWorm - botnet_cc | 2025-12-28 | |
| URL | http://38.47.238.110:8888/supershell/login/ | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| URL | https://81.177.139.97/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://43.135.162.33/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | https://gamify.in.net/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | http://gamify.in.net/ | ThreatFox: Unknown malware - payload_delivery | 2025-12-28 | |
| URL | http://xboxtelemetry-defender.cc/cvdfnaFJBmC2/index.php | ThreatFox: Amadey - botnet_cc | 2025-12-28 | |
| URL | http://microsoft-telemetry.cc/cvdfnaFJBmC1/index.php | ThreatFox: Amadey - botnet_cc | 2025-12-28 | |
| hostname | 3ms7v0at.stormh1ll.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | llhl82wr.stormh1ll.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 2ah4j4gq.stormh1ll.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | fp57ddz7.stormh1ll.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | api.dyshop.online | ThreatFox: Cobalt Strike - botnet_cc | 2025-12-28 | |
| hostname | tyr2to6g.cl0udpath.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 3ttsi6qg.cl0udpath.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | d2njqwvf.cl0udpath.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | u43n4xax.cl0udpath.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | pzskci29.shadowf1ow.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | zxa96eaf.shadowf1ow.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | cq10n3rg.shadowf1ow.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| hostname | 69gnv9zp.shadowf1ow.ru | ThreatFox: ClearFake - payload_delivery | 2025-12-28 | |
| domain | micesisters.xyz | ThreatFox: Unknown Loader - botnet_cc | 2025-12-28 | |
| domain | hpkr.help | ThreatFox: Unknown RAT - botnet_cc | 2025-12-28 | |
| hostname | suzoo.ryxuz.com | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| URL | http://178.16.54.87/uda/ph.php | ThreatFox: Unknown malware - botnet_cc | 2025-12-28 | |
| domain | setkapls99.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| domain | setkapls88.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| domain | setkapls77.com | ThreatFox: AsyncRAT - botnet_cc | 2025-12-28 | |
| FileHash-MD5 | ef846baabc14fe461cff4c4a0fd5056f | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 4566f5ba6d1a1db0dd7794ea8d791b3f | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 66ca089cd347d18ae8ab200a4e7602a5 | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 45ac577dcbf721988b49768497ba3bb8 | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 4b93b2341974f36c9e464632e94d68b3 | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 826cc4ca915f9a49ec28b119a6655a5b | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | c9f3f7a6a36a43c295afa2352c97d1c3 | ThreatFox: Nova Stealer - payload | 2025-12-28 | |
| FileHash-MD5 | 05f1a39c0902297debceb4c9c4c6674c | ThreatFox: DragonForce - payload | 2025-12-28 | |
| FileHash-MD5 | e67e7b8e0fb6baff4f25bb05dd5a5e21 | ThreatFox: DragonForce - payload | 2025-12-28 |