Pulse Detail — Threat Intelligence

PULSE NAME

OSINT Volley 2026-01-09 - Unknown malware/GootLoader/Vidar

WHITE pduggusa 2026-01-09 Modified: 2026-02-08

157

IOCs

HIGH VOLUME

Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(6507), GootLoader(90), Vidar(29), Cobalt Strike(25), DeimosC2(25). Source: abuse.ch ThreatFox API. SSL enriched: 1176 IPs with HTTPS, 1154 self-signed (C2 candidates). Pattern 54: sweep→volley automation.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1071.001 T1105 T1555.003 T1539 T1005 T1041 T1059.001 T1055 T1027

MALWARE FAMILIES

Unknown malware GootLoader Vidar Cobalt Strike DeimosC2

Indicators of Compromise (30 / 157 total)

All URL hostname domain

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://cdn.jsdelivr.net/gh/identity-hub-rs-com/api-telemetry-collec28/goi64	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/identity-hub-rs-com/control-plane72-node3854/654s5dg	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/identity-hub-rs-com/control-plane72-node3854/4685w6e	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://rcmceberio.net/	ThreatFox: Unknown malware - payload_delivery	2026-01-09
URL	https://phambilihighschool.co.za/	ThreatFox: Unknown malware - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/identity-hub-rs-com/control-plane72-node3854/gsdf49	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/identity-hub-rs-com/control-plane72-node3854/vds61	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/cdn-gstatic-6457/74event-bus-sync-svc/sbdgtjh	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://obsidianmidnight.top/endpoint/session-asset.php	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	http://89.46.38.5/micro	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	https://obsidianmidnight.top/endpoint/logout-script.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	https://buldiakogroup.com/micro	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	https://89.46.38.5/service	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	https://pippyheydguide.com/endpoint/session-asset.php	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	https://pippyheydguide.com/endpoint/logout-script.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-09
URL	http://69.164.242.27:3000	ThreatFox: Unknown Stealer - botnet_cc	2026-01-09
URL	https://cdn.jsdelivr.net/gh/cdn-gstatic-6457/74event-bus-sync-svc/sv13	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/cdn-gstatic-6457/74event-bus-sync-svc/nlasdcl	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://cdn.jsdelivr.net/gh/cdn-gstatic-6457/74event-bus-sync-svc/pang	ThreatFox: ClearFake - payload_delivery	2026-01-09
URL	https://wto.azl.one/	ThreatFox: Vidar - botnet_cc	2026-01-09
URL	https://wto.mir-massage.kiev.ua/	ThreatFox: Vidar - botnet_cc	2026-01-09
URL	https://winrler.com/7j7j.js	ThreatFox: KongTuke - payload_delivery	2026-01-09
URL	https://winrler.com/js.php	ThreatFox: KongTuke - payload_delivery	2026-01-09
URL	http://144.31.221.144/a	ThreatFox: KongTuke - payload_delivery	2026-01-09
URL	https://wde.azl.one/	ThreatFox: Vidar - botnet_cc	2026-01-09
URL	https://wde.mir-massage.kiev.ua/	ThreatFox: Vidar - botnet_cc	2026-01-09
URL	https://blog.megalearning.com/	ThreatFox: Unknown malware - payload_delivery	2026-01-09
URL	http://185.132.53.18/pages/login.php	ThreatFox: Unknown malware - botnet_cc	2026-01-09
URL	https://tinavanleuven.com/	ThreatFox: Unknown malware - payload_delivery	2026-01-09
URL	http://45.141.117.162/maybe.exe	ThreatFox: SalatStealer - payload_delivery	2026-01-09

References (2)

↗ https://analytics.dugganusa.com/api/v1/stix-feed/v2 ↗ https://threatfox.abuse.ch