← Back to Pulse Feed
PULSE DETAIL
Curated IOC feed from Decryption Digest (decryptiondigest.com) — practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.
Indicators of Compromise (80)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| IPv4 | 83.136.208.246 | BlueNoroff C2 server — outbound connections observed on port 6783 from compromised endpoints running fake Zoom updater. Associated with ClickFix credential theft campaign targeting Web3 sector. | 2026-05-15 | |
| IPv4 | 83.136.209.22 | BlueNoroff C2 server — part of ClickFix campaign infrastructure targeting Web3 sector executives via AI-generated Zoom meeting lures. | 2026-05-15 | |
| IPv4 | 104.145.210.107 | BlueNoroff C2 server — confirmed in DNS blocklist recommendations alongside check02id[.]com and typo-squatted Teams/Zoom domains. | 2026-05-15 | |
| IPv4 | 191.96.207.179 | ShinyHunters (UNC6661) operational infrastructure — flag any authentication or data access events from this IP in Okta, Salesforce, or cloud application logs. | 2026-05-15 | |
| IPv4 | 196.251.83.162 | ShinyHunters vishing campaign infrastructure — correlated with social engineering operations targeting enterprise SaaS by EclecticIQ, April 2026. | 2026-05-15 | |
| IPv4 | 163.5.210.210 | ShinyHunters exfiltration infrastructure — associated with bulk Salesforce API data extraction activity against enterprise targets. | 2026-05-15 | |
| IPv4 | 94.156.167.237 | ShinyHunters phishing and C2 infrastructure — monitor for DNS or outbound connection events. | 2026-05-15 | |
| IPv4 | 24.242.93.122 | ShinyHunters (UNC6661) operational IP — ASN 11427. Block at firewall and alert on historical SIEM hits. | 2026-05-15 | |
| IPv4 | 23.234.100.107 | ShinyHunters (UNC6661) operational IP — ASN 11878. Block at firewall and alert on historical SIEM hits. | 2026-05-15 | |
| IPv4 | 73.135.228.98 | ShinyHunters (UNC6661) operational IP — ASN 33657. Block at firewall and alert on historical SIEM hits. | 2026-05-15 | |
| IPv4 | 149.50.97.144 | ShinyHunters (UNC6661) operational IP — ASN 201814 (Poland). Block at firewall and alert on historical SIEM hits. | 2026-05-15 | |
| IPv4 | 76.64.54.159 | ShinyHunters sub-cluster UNC6671 operational IP — ASN 577. Include in blocklist sweep alongside 76.70.74.63 and 206.170.208.23. | 2026-05-15 | |
| IPv4 | 76.70.74.63 | ShinyHunters sub-cluster UNC6671 operational IP — ASN 577. | 2026-05-15 | |
| IPv4 | 206.170.208.23 | ShinyHunters sub-cluster UNC6671 operational IP — ASN 577. | 2026-05-15 | |
| IPv4 | 191.96.224.96 | Water Saci campaign C2 infrastructure. Associated with mxtestacionamentos[.]com and Cloudflare Workers subdomains under the ef971a42 account identifier. | 2026-05-15 | |
| IPv4 | 142.11.206.73 | C2 IP associated with sfrclak[.]com malware campaign. Block outbound traffic at firewall and DNS layers. | 2026-05-15 | |
| domain | check02id.com | BlueNoroff C2 domain — used in ClickFix campaign targeting Web3 sector. Add to DNS blocklist. | 2026-05-15 | |
| domain | thriddata.com | BlueNoroff typo-squatted domain used in fake Zoom/Teams meeting lures targeting Web3 sector executives. | 2026-05-15 | |
| domain | uu03webzoom.us | BlueNoroff typo-squatted domain impersonating Zoom — used in AI-generated meeting invitation phishing campaign. | 2026-05-15 | |
| domain | teams-live.org | BlueNoroff domain impersonating Microsoft Teams — used in ClickFix social engineering campaign. | 2026-05-15 | |
| domain | ms-live.com | BlueNoroff domain impersonating Microsoft — part of multi-lure ClickFix campaign infrastructure. | 2026-05-15 | |
| domain | mxtestacionamentos.com | Water Saci campaign C2 domain — add to perimeter firewall block lists alongside 191.96.224.96 and Cloudflare Workers subdomains. | 2026-05-15 | |
| hostname | campagna1-api.ef971a42.workers.dev | Water Saci Cloudflare Workers C2 subdomain — ef971a42 account identifier. Monitor for new subdomains under this account as campaign rotates infrastructure. | 2026-05-15 | |
| hostname | documents.ef971a42.workers.dev | Water Saci Cloudflare Workers C2 subdomain — ef971a42 account identifier. | 2026-05-15 | |
| domain | bless-invite.com | ShinyHunters phishing domain used in credential theft campaign targeting enterprise SaaS users. | 2026-05-15 | |
| domain | get-carrot-zoom.com | ShinyHunters phishing domain impersonating Zoom — used in credential harvesting campaign. | 2026-05-15 | |
| domain | modernatx-zoom.com | ShinyHunters phishing domain — typo-squats Moderna combined with Zoom branding. | 2026-05-15 | |
| domain | recurly-zoom.com | ShinyHunters phishing domain — typo-squats Recurly combined with Zoom branding, targeting SaaS billing accounts. | 2026-05-15 | |
| domain | sfrclak.com | Multi-platform malware C2 domain. Block at DNS and firewall layers. Associated with artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux). | 2026-05-15 | |
| FileHash-SHA256 | 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | TCLBANKER MSI installer (loader) — Water Saci campaign. Drops banking trojan targeting financial sector. | 2026-05-15 | |
| FileHash-SHA256 | 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | TCLBANKER DLL variant — Water Saci campaign. Banking trojan component. | 2026-05-15 | |
| FileHash-SHA256 | 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | TCLBANKER payload — Water Saci campaign. Core banking trojan payload. | 2026-05-15 | |
| FileHash-SHA256 | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 | BRICKSTORM ELF backdoor (pg_update) — targets VMware vCenter and ESXi. Provides persistent remote access. | 2026-05-15 | |
| FileHash-SHA256 | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df | BRICKSTORM ELF backdoor (spclisten) — targets VMware vCenter and ESXi. Listening component for C2 communications. | 2026-05-15 | |
| FileHash-SHA256 | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 | BRICKSTORM ELF backdoor (vmp) — targets VMware vCenter and ESXi. VMP-protected variant. | 2026-05-15 | |
| FileHash-SHA256 | 17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1 | Stage A Donut-style shellcode loader (~1.26 MB, position-independent x86) used for browser process injection. Alert immediately if detected on endpoint. | 2026-05-15 | |
| FileHash-SHA256 | db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682 | BlueNoroff credential stealer — targets Chrome Login Data and Local State files. Deployed via fake Chrome Update LNK in Startup folder. Logs to %TEMP%\chromechip.log. | 2026-05-15 | |
| FileHash-SHA256 | dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1 | BlueNoroff UAC bypass DLL — deployed alongside credential stealer (db446f0e...). Enables privilege escalation on compromised endpoints. | 2026-05-15 | |
| FileHash-SHA256 | 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a | The Gentlemen ransomware Windows locker sample. Go-based encryptor deployed via Group Policy in the final stage of the intrusion chain. Source: Check Point Research leak analysis, May 2026. | 2026-05-20 | |
| FileHash-SHA256 | 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f | The Gentlemen ransomware Windows locker sample. Drops README-GENTLEMEN.txt ransom note and gentlemen.bmp desktop wallpaper. Source: Check Point Research leak analysis, May 2026. | 2026-05-20 | |
| FileHash-SHA256 | 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c | The Gentlemen ransomware Linux locker sample. Targets Linux servers and ESXi hypervisors in the final domain-wide encryption stage. Source: Check Point Research leak analysis, May 2026. | 2026-05-20 | |
| hostname | api.masscan.cloud | TeamPCP C2 domain used for encrypted credential collection in the TanStack npm supply chain worm attack (May 11, 2026). Block outbound DNS and HTTPS from all developer workstations and CI/CD runners. | 2026-05-21 | |
| hostname | filev2.getsession.org | TeamPCP credential exfiltration endpoint — Session Protocol CDN domain used to evade threat intel blocklists. Stolen credentials encrypted with RSA-4096-OAEP wrapped AES-256-GCM and uploaded here from infected developer machines and CI/CD runners in the TanStack supply chain attack. | 2026-05-21 | |
| domain | git-tanstack.com | TeamPCP attacker-controlled C2 domain spoofing the legitimate TanStack project (tanstack.com). Any DNS query to this domain from a developer machine confirms malicious payload execution. | 2026-05-21 | |
| hostname | seed1.getsession.org | TeamPCP secondary exfiltration node using Session Protocol network with TLS-pinned certificate (CN: Oxen Privacy Tech Foundation, valid to 2033). Used alongside filev2.getsession.org in the TanStack npm supply chain attack credential theft campaign. | 2026-05-21 | |
| FileHash-SHA256 | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c | router_init.js — primary 2.3 MB obfuscated JavaScript payload injected into @tanstack npm packages by TeamPCP. Present at package root outside dist/ or src/. Harvests 100+ credential file paths and exfiltrates via filev2.getsession.org. Source: StepSecurity Mini Shai-Hulud analysis, May 2026. | 2026-05-21 | |
| FileHash-SHA256 | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 | tanstack_runner.js — secondary payload script executed via npm prepare lifecycle hook. Companion to router_init.js in the TeamPCP TanStack supply chain attack. Installs persistence via macOS LaunchAgent and Linux systemd service. Source: StepSecurity Mini Shai-Hulud analysis, May 2026. | 2026-05-21 | |
| hostname | abc.haijing88.com | Silver Fox (UTG-Q-1000) C2 domain used by ABCDoor Python backdoor and ValleyRAT loader in AI-generated tax phishing campaign targeting industrial, retail, and transportation sectors across India, Russia, Indonesia, Japan, and South Africa. | 2026-05-23 | |
| IPv4 | 216.126.225.129 | TeamPCP Megalodon supply chain attack C2 exfiltration server (port 8443). Malicious GitHub Actions workflows in 5,561 compromised repositories transmitted CI secrets, cloud credentials, SSH keys, and OIDC tokens to this IP. Attack window: May 18, 2026, 11:36–17:48 UTC. Block at network perimeter and DNS layer. | 2026-05-25 | |
| IPv4 | 142.252.99.59 | Attacker VPS (AS62240 Clouvider) used in Akira-linked SonicWall Gen6 SSL-VPN CVE-2024-12802 exploitation campaign. Observed during brute-force and post-exploitation phases. Block at perimeter and monitor for historical SIEM hits. | 2026-05-26 | |
| IPv4 | 45.86.208.240 | Attacker VPS (AS23470 ReliableSite) used in Akira-linked SonicWall Gen6 SSL-VPN exploitation. Associated with credential brute-force targeting SSL-VPN endpoints running vulnerable LDAP configurations. | 2026-05-26 | |
| IPv4 | 77.247.126.239 | Attacker VPS observed in Akira-affiliated SonicWall SSL-VPN exploitation campaign targeting CVE-2024-12802. Block at network perimeter and include in threat intel feed. | 2026-05-26 | |
| IPv4 | 104.238.205.105 | Attacker VPS (AS174 COGENT) linked to Akira ransomware SonicWall Gen6 exploitation. Used during post-authentication lateral movement phase following CVE-2024-12802 MFA bypass. | 2026-05-26 | |
| IPv4 | 104.238.220.216 | Attacker VPS observed in Akira-affiliated SonicWall SSL-VPN exploitation. Part of multi-IP attacker infrastructure targeting Gen6 appliances with incomplete CVE-2024-12802 remediation. | 2026-05-26 | |
| IPv4 | 193.163.194.7 | Attacker VPS observed during Akira ransomware SonicWall Gen6 exploitation campaign. Associated with initial brute-force and reconnaissance activity following MFA bypass via CVE-2024-12802. | 2026-05-26 | |
| FileHash-SHA256 | d080f553c9b1276317441894ec6861573fa64fb1fae46165a55302e782b1614d | w.exe — Akira ransomware staging tool observed in post-exploitation following SonicWall Gen6 CVE-2024-12802 exploitation. Used during pre-encryption preparation phase. Source: Huntress SonicWall VPN exploitation analysis. | 2026-05-26 | |
| FileHash-SHA256 | 1b153070934033deace7f04e77a72abe4e7e259271f885e25d81dc6337a9313d | win.exe — Akira ransomware staging tool observed after SonicWall Gen6 SSL-VPN compromise via CVE-2024-12802. Deployed alongside w.exe during ransomware staging phase prior to encryption. Source: Huntress SonicWall VPN exploitation analysis. | 2026-05-26 | |
| IPv4 | 142.127.171.133 | ShinyHunters UNC6671 operational infrastructure (ASN 577) used in 2026 vishing SaaS extortion campaign targeting Charter Communications, Canvas, and 400+ organizations via Okta SSO credential harvesting. | 2026-05-27 | |
| domain | datahub.ink | AUDIOFIX primary C2 domain used by JINX-0164 for credential exfiltration from cryptocurrency developers and wallet holders. Resolves to 208.115.220.17 and 185.175.59.85. | 2026-05-28 | |
| domain | cloud-sync.online | AUDIOFIX secondary C2 domain for credential exfiltration from infected developer and crypto professional macOS systems. | 2026-05-28 | |
| domain | byte-io.us | JINX-0164 tertiary C2 and payload retrieval endpoint used by both AUDIOFIX and MiniRAT for post-compromise operations. | 2026-05-28 | |
| hostname | apple.driver-store.com | JINX-0164 AUDIOFIX payload delivery domain impersonating an Apple driver update service. Resolves to 89.36.224.5. Used in fake technical fix social engineering lure. | 2026-05-28 | |
| hostname | apple.driver-update.io | Secondary JINX-0164 AUDIOFIX payload delivery domain spoofing Apple driver update branding. | 2026-05-28 | |
| domain | driver-updater.net | Tertiary JINX-0164 payload delivery domain used to distribute AUDIOFIX malware disguised as a driver update. | 2026-05-28 | |
| hostname | teams.live.us.org | JINX-0164 spoof domain impersonating Microsoft Teams used in fake recruiter virtual meeting lures targeting cryptocurrency professionals. | 2026-05-28 | |
| domain | bitget-meeting.com | JINX-0164 spoof domain impersonating Bitget exchange meeting platform used in LinkedIn recruiter lures targeting crypto professionals. | 2026-05-28 | |
| domain | live.ong | JINX-0164 meeting spoof domain used in fake recruiter virtual meeting invitations targeting cryptocurrency organization employees. | 2026-05-28 | |
| FileHash-SHA256 | 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 | AUDIOFIX Python-based stealer and RAT (HTTPS/ARM64 variant) — targets 51 crypto wallet extensions, 26 desktop wallets, and 7 browser credential stores. Source: Wiz research, May 28 2026. | 2026-05-28 | |
| IPv4 | 185.100.85.250 | JINX-0164 infrastructure IP associated with AUDIOFIX C2 operations targeting cryptocurrency developers. | 2026-05-28 | |
| IPv4 | 84.32.83.250 | JINX-0164 infrastructure IP associated with AUDIOFIX C2 and post-compromise operations. | 2026-05-28 | |
| IPv4 | 153.92.126.84 | JINX-0164 infrastructure IP associated with MiniRAT backdoor C2 communications. | 2026-05-28 | |
| IPv4 | 45.45.217.242 | JINX-0164 operator infrastructure IP used during post-compromise access phase. | 2026-05-28 | |
| IPv4 | 208.115.220.17 | Resolution IP for AUDIOFIX C2 domain datahub.ink — JINX-0164 credential exfiltration infrastructure. | 2026-05-28 | |
| IPv4 | 185.175.59.85 | Secondary resolution IP for AUDIOFIX C2 domain datahub.ink — JINX-0164 credential exfiltration infrastructure. | 2026-05-28 | |
| IPv4 | 89.36.224.5 | Resolution IP for JINX-0164 AUDIOFIX delivery domain apple.driver-store.com — used in fake driver fix social engineering lure. | 2026-05-28 | |
| IPv4 | 157.66.54.26 | Initial marimo /terminal/ws connection origin (AS141892, Indonesia) used to exploit CVE-2026-39987 pre-authenticated RCE in LLM agent post-exploitation incident documented by Sysdig on May 10, 2026. | 2026-05-30 | |
| IPv4 | 104.28.162.160 | Cloudflare Workers egress IP (AS13335) used during distributed AWS secretsmanager:GetSecretValue calls and parallel SSH bastion sessions in the Marimo LLM agent post-exploitation attack, May 10, 2026. | 2026-05-30 | |
| IPv4 | 104.28.165.251 | Cloudflare Workers egress IP (AS13335) used during distributed AWS secretsmanager:GetSecretValue calls and parallel SSH bastion sessions in the Marimo LLM agent post-exploitation attack, May 10, 2026. | 2026-05-30 | |
| IPv4 | 104.28.165.169 | Cloudflare Workers egress IP (AS13335) used during distributed AWS secretsmanager:GetSecretValue calls and parallel SSH bastion sessions in the Marimo LLM agent post-exploitation attack, May 10, 2026. | 2026-05-30 | |
| IPv4 | 104.28.157.50 | Cloudflare Workers egress IP (AS13335) used during distributed AWS secretsmanager:GetSecretValue calls and parallel SSH bastion sessions in the Marimo LLM agent post-exploitation attack, May 10, 2026. | 2026-05-30 |
References (1)