← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware
Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep→volley automation.
MITRE ATT&CK & Malware Families
Indicators of Compromise (102)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| hostname | yourfearcig.no-ip.biz | ThreatFox: NjRAT - botnet_cc | 2026-01-27 | |
| hostname | myleingg.ddns.net | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | 22.tcp.cpolar.top | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | slayieure-62635.portmap.host | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | krast-30188.portmap.host | ThreatFox: Quasar RAT - botnet_cc | 2026-01-27 | |
| URL | https://imeta-bypass-check.t3.storage.dev/Verify-to-Continue-ID-JJ-260125.html | ThreatFox: Unknown malware - payload_delivery | 2026-01-27 | |
| domain | ultra4ktool.com | ThreatFox: Stealc - botnet_cc | 2026-01-27 | |
| hostname | identity.mulberri.in | ThreatFox: Unknown malware - botnet_cc | 2026-01-27 | |
| hostname | norbert-dev1.cydardev.cloud | ThreatFox: Havoc - botnet_cc | 2026-01-27 | |
| hostname | kid.cdcmn.edu.bd | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| hostname | kid.lidiia.com.ua | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://kid.cdcmn.edu.bd/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://kid.lidiia.com.ua/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| FileHash-MD5 | 020d888236be6a7fffa99c7f35bf2797 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | d6a9f97b4e37f6d619a5b88c2947730e | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 410a2742a98634af637d498c7cfa04a3 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 4bfb227d9445981d2940fe7d20001ed3 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | f4ed428b01841e8731fa3611b9d7a73b | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | a41c78d94c70caa49d30fca0b62e15b2 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | ab03fe3fb16b8b931d2679e67f571cf1 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 147e72282e47ba19f121402abc358bc2 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 3bc9f741223f23601c3a8975da552af6 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | f1347fec7c34ba11884cb216c7ff5af0 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 733efdd0895e5fd1fe9ee73d214ce58c | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | a9b717d4d038bf50b08c5de5b491e32e | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | b80c7b84bb479a2ec526f0b195a83b99 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 47deaf4e5b35781b5447c3a1b92721ad | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 5062c623fe8368cc69c00a8f7d780fbb | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | af123fab559cb11a1a844acf997b2c61 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | de96beb0baa7243dd7f39b2c400bbc44 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 30121e98200ba3a8ae4704c3441f2618 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | ac8acef11171d3d45bb9386b59f7e2a9 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | f558a0bcd20e01e46551a491c66114e8 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | f578c14c36833491fa8aa407b4d4b00b | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | ac9088078884311fd32c47997c5c77cc | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | e0080e35657caed78566384a2e7b1ef4 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | d244b63e40aab7299d194c11bf060054 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 7170292337a894ce9a58f5b2176dfefc | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 9323fca75a86c75ffbdcc88ed8f35e5a | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 7ff1a6efe00d7b78094d3eb1740f179c | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | a6d91094a222da6576260abf52a07b79 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | f52d8ae29652f58eda468caf80aebc33 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 6880e0567dc6a8885d1d58b79b6d5c12 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 08b7c181fa4f234e3b3ad8a0e36c613b | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 4e7434ac13001fe55474573aa5e9379d | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | a065c2d25096957126b9739f95810a12 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 03427263da43843baf7cfd85f305fc77 | ThreatFox: BQTlock - payload | 2026-01-27 | |
| FileHash-MD5 | 1859f56847ccabc6581a56f55041955f | ThreatFox: BQTlock - payload | 2026-01-27 | |
| URL | https://peg.bexca.org | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://steamcommunity.com/profiles/76561198747567141 | ThreatFox: Vidar - payload_delivery | 2026-01-27 | |
| hostname | peg.bexca.org | ThreatFox: Vidar - payload_delivery | 2026-01-27 | |
| hostname | account.quarklab.app | ThreatFox: Unknown malware - botnet_cc | 2026-01-27 | |
| hostname | account.quarkdrainer.com | ThreatFox: Unknown malware - botnet_cc | 2026-01-27 | |
| domain | vobshepohuy.top | ThreatFox: Vidar - payload_delivery | 2026-01-27 | |
| hostname | cpanel.mahfuzrealtor.com | ThreatFox: FAKEUPDATES - botnet_cc | 2026-01-27 | |
| URL | https://reberts.com/js.php | ThreatFox: KongTuke - payload_delivery | 2026-01-27 | |
| domain | reberts.com | ThreatFox: KongTuke - payload_delivery | 2026-01-27 | |
| URL | https://reberts.com/6h3d.js | ThreatFox: KongTuke - payload_delivery | 2026-01-27 | |
| URL | https://homencck.com/3s5a.js | ThreatFox: KongTuke - payload_delivery | 2026-01-27 | |
| URL | https://boostnoise.com/auth | ThreatFox: Unknown malware - botnet_cc | 2026-01-27 | |
| hostname | theretas.fencingoregon.com | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| hostname | qudor.fencingoregon.com | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| hostname | ontera.fencingoregon.com | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://vobshepohuy.top/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://theretas.fencingoregon.com/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://qudor.fencingoregon.com/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://ontera.fencingoregon.com/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://telegram.me/crelderko | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://cdn.jsdelivr.net/gh/relight-73-unsigned/tk-hz-ctrl/22-api-cloud | ThreatFox: ClearFake - payload_delivery | 2026-01-27 | |
| URL | https://cdn.jsdelivr.net/gh/grading-chatter-dock73/crispy-directory/boost | ThreatFox: ClearFake - payload_delivery | 2026-01-27 | |
| URL | https://cdn.jsdelivr.net/gh/grading-chatter-dock73/file-4-share/sand | ThreatFox: ClearFake - payload_delivery | 2026-01-27 | |
| domain | ravenkw.shop | ThreatFox: AsyncRAT - botnet_cc | 2026-01-27 | |
| URL | http://45.153.34.90/WEB/airff.ps1 | ThreatFox: Agent Tesla - payload_delivery | 2026-01-27 | |
| URL | https://securelearn.co/ | ThreatFox: Unknown malware - payload_delivery | 2026-01-27 | |
| hostname | noone5123-52149.portmap.host | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | noone5123-59078.portmap.host | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| URL | https://cdn.jsdelivr.net/gh/grading-chatter-dock73/file-4-share/ver1 | ThreatFox: ClearFake - payload_delivery | 2026-01-27 | |
| hostname | zortyfivev.crabdance.com | ThreatFox: Quasar RAT - botnet_cc | 2026-01-27 | |
| hostname | twobyonset.ydns.eu | ThreatFox: Quasar RAT - botnet_cc | 2026-01-27 | |
| domain | weareriu.cyou | ThreatFox: Lumma Stealer - botnet_cc | 2026-01-27 | |
| domain | forkgramme.com | ThreatFox: Unknown Stealer - botnet_cc | 2026-01-27 | |
| hostname | mif.cdcmn.edu.bd | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| hostname | mif.lidiia.com.ua | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://77.42.49.175/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://83.228.229.110/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://138.226.237.13/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://mif.cdcmn.edu.bd/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://mif.lidiia.com.ua/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| URL | https://192.177.26.249/ | ThreatFox: Vidar - botnet_cc | 2026-01-27 | |
| domain | modaaura.store | ThreatFox: Unknown malware - payload_delivery | 2026-01-27 | |
| URL | https://modaaura.store/image.jpg | ThreatFox: Unknown malware - payload_delivery | 2026-01-27 | |
| URL | http://ingov.myartsonline.com/login9875.php | ThreatFox: Unknown malware - botnet_cc | 2026-01-27 | |
| URL | https://18.216.144.67/ | ThreatFox: Unknown malware - payload_delivery | 2026-01-27 | |
| domain | lionsmanetech.shop | ThreatFox: Stealc - botnet_cc | 2026-01-27 | |
| URL | http://138.226.237.6 | ThreatFox: Stealc - botnet_cc | 2026-01-27 | |
| hostname | winterfall102.ddns.net | ThreatFox: AsyncRAT - botnet_cc | 2026-01-27 | |
| hostname | million-acc.gl.at.ply.gg | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | niggerinmybuthole-56571.portmap.host | ThreatFox: XWorm - botnet_cc | 2026-01-27 | |
| hostname | www.officedirectorqsecondbackup.com | ThreatFox: Remcos - botnet_cc | 2026-01-27 | |
| hostname | www.officedirectorqbackup.com | ThreatFox: Remcos - botnet_cc | 2026-01-27 | |
| hostname | www.officedirectorq.com | ThreatFox: Remcos - botnet_cc | 2026-01-27 | |
| URL | http://lionsmanetech.shop/1f66bbb8fea047c0.php | ThreatFox: Stealc - botnet_cc | 2026-01-27 |
