IOC Radar
DomainMediumSignal 42/100

48dfdf60066952611548ed944d96cd29.xyz

First Seen
Apr 17, 2026
Last Seen
Apr 24, 2026
Apr 17
First Seen
63d ago
Apr 24
Last Seen
56d ago
3
Reports
source reports
42%
Confidence
medium
Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
42%
Signal Score
42 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

10 techniques

Feed Intelligence Summary

3 reports42% confidence
3
Source reports
42%
Confidence score
Category tags
api keysappdatabasic scriptbypassc2 answerconfigdecryptdgaexecutable fileexploitation activityfileshexindicatoriocslnk filelnk malwaremalwarenetworkpowershellpureresearchedt1008t1027.004t1041t1059.001t1059.005t1071.001t1105t1140t1547t1548.002web application attack

Activity Timeline

1 total obs
Apr 24Apr 24

Threat Activity Heatmap

· Peak: 2026-04-24
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain `48dfdf60066952611548ed944d96cd29.xyz` has been identified as a critical Indicator of Compromise (IOC) with a significant threat score of 41.76. Its presence signals potential involvement in malicious activities such as command and control (C2) operations, data exfiltration, and the transfer of malicious tools into the network. This IOC is particularly concerning as it is linked to a large volume of stealer samples, indicating its role in sophisticated data theft campaigns. Failure to…

Threat ScoreMedium Risk
42
SIGNAL
Signal Score
42%
Confidence
3
Reports
First seenApr 17, 2026
Last seenApr 24, 2026

VirusTotal

Not checked

WHOIS

description
Recent analysis of a malware campaign revealed an extensive collection of 3,788 auto-generated samples associated with a stealer operation. The primary infection vector involves a standard LNK file that, upon execution, fetches and runs a Visual Basic Script. The context of this campaign is affiliated with a fraudulent scheme using a PDF labeled as a scam refund form, which is indicative of phishing tactics targeted at users. One of the key components of this malware is a PowerShell script downloaded from a specific URL. This script is notable for containing a hardcoded Advanced Encryption Standard (AES) key and initialization vector (IV), as it is responsible for decrypting various components of a larger payload. The end result is a persistent PowerShell backdoor, which connects to a command-and-control (C2) server. The primary endpoint is statically defined, while the fallback address is generated dynamically based on an API key, indicating a level of sophistication in the operational design.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 1 month ago
Appeared in 3 threat reports