{ "type": "Domain", "indicator": "notrooter.pl", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/notrooter.pl", "alexa": "http://www.alexa.com/siteinfo/notrooter.pl", "indicator": "notrooter.pl", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4165672535, "indicator": "notrooter.pl", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "696c20d2f378456b9438cb2a", "name": "React2Shell (CVE-2025-55182) Honeypot", "description": "React2Shell (CVE-2025-55182) is a critical Remote Code Execution (RCE) vulnerability affecting the React Server Components (RSC) \"Flight\" protocol. It has a CVSS score of 10.0 (Critical).\n\nThe analyzed logs cover the period from December 4, 2025 to December 8, 2025. The following atomic indicators were extracted from the \"Suspicious\" traffic logs.", "modified": "2026-02-16T23:00:50.545000", "created": "2026-01-17T23:52:50.581000", "tags": [ "url http", "react2shell", "cve202555182", "react server", "december", "base64", "malware dropper", "binary download", "botnet binary", "payload hosting", "execution", "critical", "xmrig", "rats", "vshell", "etherrat", "download", "dropper", "flash", "error", "bolts", "base64 python" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bolts", "display_name": "Bolts", "target": null }, { "id": "Base64 Python", "display_name": "Base64 Python", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jnazario", "id": "14926", "avatar_url": "/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 2379, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69649796f4ecec74cac3be6e", "name": "Threat Intel Report - W49-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2026-02-11T06:02:28.302000", "created": "2026-01-12T06:41:26.363000", "tags": [ "mozi", "clearfake", "asyncrat link", "vidar link", "kongtuke", "russia", "urls https", "fake os", "update", "salatstealer" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 37, "FileHash-SHA256": 61, "URL": 421, "domain": 22, "hostname": 69 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694650e0a2a077b9b10ac41b", "name": "CVE-2025-55182: First Days of React2Shell Exploitations", "description": "CVE-2025-55182 has been acknowledged as a significant remote code execution (RCE) vulnerability exploited in the React2Shell component. An analysis of honeypot data from the vulnerability's disclosure up to December 9th revealed over 68,000 requests related to this exploit. Of these, approximately 97% were attempts to exploit the RCE, but only around 5,000 of these contained malicious code aimed at data exfiltration or fetching additional payloads.\n\nThe InfectedSlurs botnet, active since 2023, has quickly adopted React2Shell in its operations. This botnet typically deploys both Mirai and XMRig payloads. Another notable botnet, Rondo, has also begun leveraging the React2Shell vulnerability, having transitioned from utilizing a wide array of exploits to focusing predominantly on this single vulnerability as of December 6th. This marks a significant methodological shift among threat actors toward concentrated exploit strategies.", "modified": "2026-01-19T07:05:35.562000", "created": "2025-12-20T07:31:44.688000", "tags": [ "december", "react2shell", "mirai", "rondo", "outlaw", "infectedslurs", "iocs", "irc bot", "perl script", "bitsight", "xmrig", "shellbot", "april" ], "references": [ "https://www.bitsight.com/blog/cve-2025-55182-analysis-of-react2shell-exploitations" ], "public": 1, "adversary": "Outlaw", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "URL": 16, "domain": 8, "hostname": 3, "FileHash-SHA256": 6 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitsight.com/blog/cve-2025-55182-analysis-of-react2shell-exploitations", "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Outlaw" ], "malware_families": [ "Bolts", "Base64 python" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "696c20d2f378456b9438cb2a", "name": "React2Shell (CVE-2025-55182) Honeypot", "description": "React2Shell (CVE-2025-55182) is a critical Remote Code Execution (RCE) vulnerability affecting the React Server Components (RSC) \"Flight\" protocol. It has a CVSS score of 10.0 (Critical).\n\nThe analyzed logs cover the period from December 4, 2025 to December 8, 2025. The following atomic indicators were extracted from the \"Suspicious\" traffic logs.", "modified": "2026-02-16T23:00:50.545000", "created": "2026-01-17T23:52:50.581000", "tags": [ "url http", "react2shell", "cve202555182", "react server", "december", "base64", "malware dropper", "binary download", "botnet binary", "payload hosting", "execution", "critical", "xmrig", "rats", "vshell", "etherrat", "download", "dropper", "flash", "error", "bolts", "base64 python" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bolts", "display_name": "Bolts", "target": null }, { "id": "Base64 Python", "display_name": "Base64 Python", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jnazario", "id": "14926", "avatar_url": "/otxapi/users/avatar_image/media/avatars/jnazario/resized/80/Screen Shot 2016-07-24 at 12.24.30 PM.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 2379, "modified_text": "104 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69649796f4ecec74cac3be6e", "name": "Threat Intel Report - W49-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2026-02-11T06:02:28.302000", "created": "2026-01-12T06:41:26.363000", "tags": [ "mozi", "clearfake", "asyncrat link", "vidar link", "kongtuke", "russia", "urls https", "fake os", "update", "salatstealer" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 37, "FileHash-SHA256": 61, "URL": 421, "domain": 22, "hostname": 69 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694650e0a2a077b9b10ac41b", "name": "CVE-2025-55182: First Days of React2Shell Exploitations", "description": "CVE-2025-55182 has been acknowledged as a significant remote code execution (RCE) vulnerability exploited in the React2Shell component. An analysis of honeypot data from the vulnerability's disclosure up to December 9th revealed over 68,000 requests related to this exploit. Of these, approximately 97% were attempts to exploit the RCE, but only around 5,000 of these contained malicious code aimed at data exfiltration or fetching additional payloads.\n\nThe InfectedSlurs botnet, active since 2023, has quickly adopted React2Shell in its operations. This botnet typically deploys both Mirai and XMRig payloads. Another notable botnet, Rondo, has also begun leveraging the React2Shell vulnerability, having transitioned from utilizing a wide array of exploits to focusing predominantly on this single vulnerability as of December 6th. This marks a significant methodological shift among threat actors toward concentrated exploit strategies.", "modified": "2026-01-19T07:05:35.562000", "created": "2025-12-20T07:31:44.688000", "tags": [ "december", "react2shell", "mirai", "rondo", "outlaw", "infectedslurs", "iocs", "irc bot", "perl script", "bitsight", "xmrig", "shellbot", "april" ], "references": [ "https://www.bitsight.com/blog/cve-2025-55182-analysis-of-react2shell-exploitations" ], "public": 1, "adversary": "Outlaw", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "URL": 16, "domain": 8, "hostname": 3, "FileHash-SHA256": 6 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "notrooter.pl", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "notrooter.pl", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780311546.3947735 }