{ "type": "Domain", "indicator": "inofokable.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/inofokable.net", "alexa": "http://www.alexa.com/siteinfo/inofokable.net", "indicator": "inofokable.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4006388418, "indicator": "inofokable.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "673d0a283fc9a37bebd76dc6", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.", "modified": "2024-12-19T21:05:39.998000", "created": "2024-11-19T21:59:04.039000", "tags": [ "ddos", "proxy service", "nsocks", "soho routers", "botnet", "shopsocks5", "cybercrime", "iot devices", "vn5socks", "ngioweb" ], "references": [ "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ngioweb", "display_name": "ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673dded7f40dd192014bfb8f", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal.\n# Loader C2 Tier 2, which aims to identify and track users' IP addresses, has been launched by the Ministry of Defence (MoD) and the Russian Foreign Minister Sergei Lavrov.", "modified": "2024-12-20T13:04:00.850000", "created": "2024-11-20T13:06:31.364000", "tags": [ "active dga", "loader c2", "tier", "loader c2s", "bot c2s", "dns server", "c2s ips", "backconnect c2s" ], "references": [ "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/", "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt", "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Ngioweb" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "673d0a283fc9a37bebd76dc6", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.", "modified": "2024-12-19T21:05:39.998000", "created": "2024-11-19T21:59:04.039000", "tags": [ "ddos", "proxy service", "nsocks", "soho routers", "botnet", "shopsocks5", "cybercrime", "iot devices", "vn5socks", "ngioweb" ], "references": [ "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ngioweb", "display_name": "ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673dded7f40dd192014bfb8f", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal.\n# Loader C2 Tier 2, which aims to identify and track users' IP addresses, has been launched by the Ministry of Defence (MoD) and the Russian Foreign Minister Sergei Lavrov.", "modified": "2024-12-20T13:04:00.850000", "created": "2024-11-20T13:06:31.364000", "tags": [ "active dga", "loader c2", "tier", "loader c2s", "bot c2s", "dns server", "c2s ips", "backconnect c2s" ], "references": [ "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "inofokable.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "inofokable.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351643.6009953 }