IOC Radar
DomainMediumSignal 42/100

4be0b292596220167e47db0bceba5a2d.xyz

First Seen
Apr 17, 2026
Last Seen
Apr 24, 2026
Apr 17
First Seen
59d ago
Apr 24
Last Seen
53d ago
3
Reports
source reports
42%
Confidence
medium
Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
42%
Signal Score
42 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

10 techniques

Feed Intelligence Summary

3 reports42% confidence
3
Source reports
42%
Confidence score
Category tags
api keysappdatabasic scriptbypassc2 answerconfigdecryptdgaexecutable fileexploitation activityfileshexindicatoriocslnk filelnk malwaremalwarenetworkpowershellpureresearchedt1008t1027.004t1041t1059.001t1059.005t1071.001t1105t1140t1547t1548.002web application attack

Activity Timeline

1 total obs
Apr 24Apr 24

Threat Activity Heatmap

· Peak: 2026-04-24
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), a domain name, represents a significant threat to organizational security, warranting immediate attention. With a score of 41.76 and its explicit non-whitelisted status, this IOC is strongly associated with malicious activities, specifically a widespread campaign involving over 3,000 stealer samples. If left unaddressed, the presence of this IOC in the environment could lead to severe consequences, including extensive data exfiltration, unauthorized system acc…

Threat ScoreMedium Risk
42
SIGNAL
Signal Score
42%
Confidence
3
Reports
First seenApr 17, 2026
Last seenApr 24, 2026

VirusTotal

Not checked

WHOIS

description
Recent analysis of a malware campaign revealed an extensive collection of 3,788 auto-generated samples associated with a stealer operation. The primary infection vector involves a standard LNK file that, upon execution, fetches and runs a Visual Basic Script. The context of this campaign is affiliated with a fraudulent scheme using a PDF labeled as a scam refund form, which is indicative of phishing tactics targeted at users. One of the key components of this malware is a PowerShell script downloaded from a specific URL. This script is notable for containing a hardcoded Advanced Encryption Standard (AES) key and initialization vector (IV), as it is responsible for decrypting various components of a larger payload. The end result is a persistent PowerShell backdoor, which connects to a command-and-control (C2) server. The primary endpoint is statically defined, while the fallback address is generated dynamically based on an API key, indicating a level of sophistication in the operational design.
references
https://blog.synapticsystems.de/3000-stealer-samples-one-misconfigured-apache-server/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 month ago · Last seen 1 month ago
Appeared in 3 threat reports