Pulse Detail — Threat Intelligence

PULSE NAME

OSINT Volley 2026-01-12 - Vidar/AsyncRAT/DeimosC2

WHITE pduggusa 2026-01-12 Modified: 2026-02-11

110

IOCs

HIGH VOLUME

Automated OSINT sweep from ThreatFox. Top malware: Vidar(70), AsyncRAT(54), DeimosC2(22), ValleyRAT(22), Unknown malware(21). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep→volley automation.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1555.003 T1539 T1005 T1041 T1071.001 T1059.001 T1219 T1056.001 T1105

MALWARE FAMILIES

Vidar AsyncRAT DeimosC2 ValleyRAT Unknown malware

Indicators of Compromise (110)

All domain URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	bimonwz.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	inconzy.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	swimglii.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	schemaqa.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	rumordoz.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	triniliu.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	reveiley.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	mirelvse.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	antliafo.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	irregukw.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
domain	importhd.cyou	ThreatFox: Lumma Stealer - payload_delivery	2026-01-12
URL	https://receiver.cy/files/jar/module	ThreatFox: Unknown malware - payload_delivery	2026-01-12
domain	receiver.cy	ThreatFox: Unknown malware - payload_delivery	2026-01-12
domain	weedhack.cy	ThreatFox: Unknown malware - botnet_cc	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/wf45-s5g42-sv78-tyj95/da73	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/steadying-gas-existing-seltzer/mothballgravity	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/steadying-gas-existing-seltzer/arguablybagged	ThreatFox: ClearFake - payload_delivery	2026-01-12
hostname	gallery.lorellaparis.com	ThreatFox: FAKEUPDATES - botnet_cc	2026-01-12
hostname	toki.konutabasvur.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	server.datagence.xyz	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	toki.basvurkonutbilgi.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
domain	basvurkonut.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
URL	https://stransdeport.su/	ThreatFox: Unknown malware - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/steadying-gas-existing-seltzer/80disperser	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/2b-rvy-6o-fv-ho/fragment123	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://noelgascon.cmu-online.tech/demo_ci3/application/config/	ThreatFox: Unknown malware - payload_delivery	2026-01-12
domain	yffsoksss888.com	ThreatFox: ValleyRAT - botnet_cc	2026-01-12
hostname	www.www-161bet.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/2b-rvy-6o-fv-ho/dreamt-undrafted	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/2b-rvy-6o-fv-ho/dork-pension	ThreatFox: ClearFake - payload_delivery	2026-01-12
hostname	matalan.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	hhv.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/identity-broker454-cloud6546/dexvphujrsh	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/identity-broker454-cloud6546/graftingawkward	ThreatFox: ClearFake - payload_delivery	2026-01-12
domain	leprixnet.com	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://leprixnet.com/js.php	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	http://158.94.208.6/h8jfdmdWS/Login.php	ThreatFox: Amadey - botnet_cc	2026-01-12
URL	https://leprixnet.com/3s5f.js	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://food-family.icu/api/send	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	food-family.icu	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	peacockes.ie	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	ollertonandboughton.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	hitclub33.eu.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	emg.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	dpn.uk.net	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	bryw.cn.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	beittikvah.us.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	789club1.se.net	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
domain	topshop.in.net	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	springdesignpartners.us.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
domain	gordonsmitharchitect.co.uk	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
hostname	arasida.sa.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-12
domain	kurasizhemenkatil.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
domain	basvurudanis.sbs	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	tokl.basvurusondonem.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
URL	http://158.94.208.6/h8jfdmdWS/index.php	ThreatFox: Amadey - botnet_cc	2026-01-12
URL	http://144.31.221.132/a	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://yepork.com/auth/profile-module.php	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
domain	yepork.com	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://yepork.com/auth/logout-controller.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://cdn.jsdelivr.net/gh/service28-discovery-registr/475event-bu7s-sync74-prx5-eu2/splicing	ThreatFox: ClearFake - payload_delivery	2026-01-12
hostname	readconfig.x1s.icu	ThreatFox: VShell - botnet_cc	2026-01-12
domain	nightcopper.info	ThreatFox: Unknown Loader - botnet_cc	2026-01-12
domain	beeftexture.xyz	ThreatFox: Unknown Loader - botnet_cc	2026-01-12
domain	distancebedroom.xyz	ThreatFox: Unknown Loader - botnet_cc	2026-01-12
domain	animalrecord.xyz	ThreatFox: Unknown Loader - botnet_cc	2026-01-12
domain	crrhelp.top	ThreatFox: Unknown RAT - botnet_cc	2026-01-12
domain	indian-lotus.cc	ThreatFox: Unknown RAT - botnet_cc	2026-01-12
URL	https://official-jaxxwallet.com/host.exe	ThreatFox: SmokeLoader - payload_delivery	2026-01-12
URL	http://62.60.226.159/Setup.exe	ThreatFox: SmokeLoader - payload_delivery	2026-01-12
hostname	backend-knwv.onrender.com	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	solfson.com	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://solfson.com/1d1d.js	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://solfson.com/js.php	ThreatFox: KongTuke - payload_delivery	2026-01-12
URL	https://portwinejoke.icu/menu.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	http://144.31.221.103/a	ThreatFox: KongTuke - payload_delivery	2026-01-12
domain	portwinejoke.icu	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://inforash.com/auth/logout-service.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
domain	inforash.com	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://inforash.com/auth/logout-controller.js	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://inforash.com/auth/profile-module.php	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	http://98.142.251.115/cache	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://tibetosi.com/cache	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
URL	https://98.142.251.115/caching	ThreatFox: NetSupportManager RAT - payload_delivery	2026-01-12
domain	fuzzy-pickle.cc	ThreatFox: Unknown RAT - botnet_cc	2026-01-12
URL	http://5.8.18.106/ce369e7324834845.php	ThreatFox: Stealc - botnet_cc	2026-01-12
hostname	sub.erom-e.com	ThreatFox: Vidar - botnet_cc	2026-01-12
hostname	sub.zeronoiseclassroom.com	ThreatFox: Vidar - botnet_cc	2026-01-12
URL	https://sub.erom-e.com/	ThreatFox: Vidar - botnet_cc	2026-01-12
URL	https://sub.zeronoiseclassroom.com/	ThreatFox: Vidar - botnet_cc	2026-01-12
domain	uberdeltagss.com	ThreatFox: Remcos - botnet_cc	2026-01-12
domain	fbnmoon.fun	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	fbnmoon.space	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
hostname	artemkalenadov-42277.portmap.host	ThreatFox: SpyNote - botnet_cc	2026-01-12
domain	fbnmoon.xyz	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	fbnmoon.world	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	fbnmoon.top	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	fbnmoon.coupons	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	gonebornes.com	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	securityfenceandwelding.com	ThreatFox: Unknown Stealer - botnet_cc	2026-01-12
domain	kurasizkatilim.sbs	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	toki.evekonutabasvur.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
domain	evekonutabasvur.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	toki.sosyalkonut.cfd	ThreatFox: Havoc - botnet_cc	2026-01-12
hostname	toki.konutbasvuruturkiye.sbs	ThreatFox: Havoc - botnet_cc	2026-01-12
domain	e-konutbasvuru.sbs	ThreatFox: Havoc - botnet_cc	2026-01-12
URL	http://65.87.7.251	ThreatFox: Stealc - botnet_cc	2026-01-12
URL	https://cdn.jsdelivr.net/gh/browse-fb-clock/legendary-value/files	ThreatFox: ClearFake - payload_delivery	2026-01-12
URL	https://swissnoli.eu/	ThreatFox: Unknown malware - payload_delivery	2026-01-12
URL	https://jawks.t3.storage.dev/Verify-me-to-continue-ID-75099.html	ThreatFox: Unknown malware - payload_delivery	2026-01-12

References (2)

↗ https://analytics.dugganusa.com/api/v1/stix-feed/v2 ↗ https://threatfox.abuse.ch