Pulse Detail — Threat Intelligence

PULSE NAME

OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex

WHITE pduggusa 2026-01-23 Modified: 2026-02-22

IOCs

HIGH VOLUME

Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep→volley automation.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1055 T1059.001 T1105 T1027 T1555.003 T1539 T1005 T1041 T1071.001 T1219 T1056.001

MALWARE FAMILIES

Meterpreter Vidar Phorpiex Nitrogen Ransomware AsyncRAT

Indicators of Compromise (67)

All URL hostname domain

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://199.217.99.187	ThreatFox: Stealc - botnet_cc	2026-01-23
URL	https://bemuseqy.cyou/api	ThreatFox: Lumma Stealer - botnet_cc	2026-01-23
hostname	lmn990112-54741.portmap.host	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	luvxc1de.duckdns.org	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	hl2k-32291.portmap.host	ThreatFox: XWorm - botnet_cc	2026-01-23
URL	https://elimnasir.com/private/callback-fetch.js	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://cpajoliette.com/q	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://elimnasir.com/private/profile-ajax.js	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
domain	elimnasir.com	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://elimnasir.com/private/api-hook.php	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
hostname	cbb.lidiia.com.ua	ThreatFox: Vidar - botnet_cc	2026-01-23
hostname	cbb.borendrokontho.com	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://steamcommunity.com/profiles/76561198745091601	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://telegram.me/n1ds03	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://cbb.borendrokontho.com/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://cbb.lidiia.com.ua/	ThreatFox: Vidar - botnet_cc	2026-01-23
hostname	blog.kevoxtech.com	ThreatFox: Havoc - botnet_cc	2026-01-23
URL	https://jaskolkki.com/7h9v.js	ThreatFox: KongTuke - payload_delivery	2026-01-23
domain	jaskolkki.com	ThreatFox: KongTuke - payload_delivery	2026-01-23
URL	https://jaskolkki.com/js.php	ThreatFox: KongTuke - payload_delivery	2026-01-23
URL	https://helsibreak.com/api/middleware-server.php	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
domain	helsibreak.com	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://79.141.172.229/bottle	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://helsibreak.com/api/session-request.js	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	http://79.141.172.229/throttle	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
URL	https://inshellter.com/throttle	ThreatFox: SmartApeSG - payload_delivery	2026-01-23
hostname	app.tatatech.co	ThreatFox: FAKEUPDATES - botnet_cc	2026-01-23
hostname	www.lyraconnect.xyz	ThreatFox: Unknown Stealer - botnet_cc	2026-01-23
hostname	www.lyra-connect.us	ThreatFox: Unknown Stealer - botnet_cc	2026-01-23
hostname	s38omfg2.cinderpouch.ru	ThreatFox: ClearFake - payload_delivery	2026-01-23
hostname	vpkw420q.hcuoprednic.ru	ThreatFox: ClearFake - payload_delivery	2026-01-23
URL	http://89.125.48.195/9f53354de2964d8b.php	ThreatFox: Stealc - botnet_cc	2026-01-23
hostname	nameservers.us.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	jtb.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
domain	getinone.in.net	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
domain	dailyamarbangla.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	angles.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
domain	sopwritersbangalore.in.net	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	investor.uk.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	ecologistics.co.com	ThreatFox: AsyncRAT - botnet_cc	2026-01-23
hostname	update.kernel-update.com	ThreatFox: Cobalt Strike - botnet_cc	2026-01-23
hostname	katieqlhello.ru.com	ThreatFox: Quasar RAT - botnet_cc	2026-01-23
hostname	gyp.uk.com	ThreatFox: Quasar RAT - botnet_cc	2026-01-23
hostname	akon.za.com	ThreatFox: Quasar RAT - botnet_cc	2026-01-23
hostname	bos.sodstreams.com	ThreatFox: Vidar - botnet_cc	2026-01-23
hostname	bos.bexca.org	ThreatFox: Vidar - botnet_cc	2026-01-23
hostname	lat.sodstreams.com	ThreatFox: Vidar - botnet_cc	2026-01-23
hostname	lat.bexca.org	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://bos.sodstreams.com/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://bos.bexca.org/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://65.109.240.214/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://138.226.237.10/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://94.141.122.173/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://138.226.237.99/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://65.108.121.254/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://lat.sodstreams.com/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://lat.bexca.org/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://77.42.48.199/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://138.226.236.106/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://77.42.48.197/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	https://192.177.26.143/	ThreatFox: Vidar - botnet_cc	2026-01-23
URL	http://thammyvienanthea.com/bob1/Panel/five/fre.php	ThreatFox: Loki Password Stealer (PWS) - botnet_cc	2026-01-23
URL	https://coordenacao2026.writesthisblog.com/resdocb/receptor.php	ThreatFox: Unknown malware - botnet_cc	2026-01-23
hostname	coordenacao2026.writesthisblog.com	ThreatFox: Unknown malware - botnet_cc	2026-01-23
URL	http://195.178.136.19/1.exe	ThreatFox: Phorpiex - payload_delivery	2026-01-23
URL	http://195.178.136.19/2.exe	ThreatFox: Phorpiex - payload_delivery	2026-01-23
URL	http://195.178.136.19/3.exe	ThreatFox: Phorpiex - payload_delivery	2026-01-23

References (2)

↗ https://analytics.dugganusa.com/api/v1/stix-feed/v2 ↗ https://threatfox.abuse.ch