IOC Radar
IPMediumSignal 47/100

82.221.103.244

Location
IcelandIceland
Reykjavik, Capital Region
ASN
AS50613
Thor DC
First Seen
May 28, 2021
Last Seen
May 31, 2026
May 28
First Seen
1843d ago
May 31
Last Seen
14d ago
11
Reports
source reports
47%
Confidence
medium
Found in 11 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
47%
Signal Score
47 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

114 techniques

Network Information

CountryISIceland
RegionReykjavik, Capital Region
ASNAS50613
OrganizationThor DC

Feed Intelligence Summary

11 reports47% confidence
11
Source reports
47%
Confidence score
Category tags
.plaaaaaaaa nxdomainabuseabuseipdbacademic institutionsacceptaccess controlaccount securityactiveactive relatedactive scanactive scanningactivity beaconadded activeaddressaddress domainaddress firstaddress rangeadmin nameadwareadware.ibryteag organizationagentakamaialertsaliasalienvault_ransomwareall ipv4all scoreblueall searchallocation typeamazonamerica cityamerica flaganalysis dateanalyzer pasteanalyzer threatandroidapacheappdataapplearkei stealerartemisascii textasiaasnoneasnone germanyasnone unitedattorneyaustralia asnauthorityauto-colorav detectionsavast avgbackdoorbad reputationbankingbeaconbeapyberbewbittorrentbittorrent dhtbodybody doctypebody headbotnetbotnet activitybotnetsbreaking newsbrute forcebrute force attackbuttonbyvalc ipconfigc2callcanadacapacasecentos webcf e8cf movcheckcheckinchinachmod usagechromecidrcisco umbrellacity bonncivilcivil servicescivil societyck idck techniquesclickclick-based attackclosecloud infrastructurecloud providercnamecnccnc beaconcndigicert sha2cobalt strikecobaltstrikecodecode executioncode injectioncode issuescommandcommand & controlcommand and controlcommand executioncommunication protocolcompoodcompromised systemcompromised_site_redirector_fromcharcodeconsumer goodscontacted hostscontentcontent lengthcontent typecontrolcookiecopycopy md5copy sha1copy sha256corporate lawcountrycountry decountry unitedcowboy servercrawlcreation datecredential accesscredential harvestingcredential stuffingcredential theftcredit card servicescrimecura admacus cndigicertcus cngtscus ouservercyber securitycyber threatscyberfolksczechia unknownd0 addd0 movd3 movdadobradata accessdata copyingdata exfiltrationdata store exposuredata theftdata transferdata uploaddatabase securityddosddos attacksdefensedefense evasiondeletedelete cdelete filedeletes_executed_filesdelphidenial of servicedenverdetection listdetections namedeva psaadigital mediadigital signaturediscovery t1082displaynamedistributed attacksdistribution managementdlink devicesdnsdns attackdnssecdockdomaindomainpath namedomainsdomains showdoscom cdownloaderdr citydropperdrwebdublindynamicdynamicloaderearth lamiaecacceducationeducational resourceseducational serviceseducational technologyelectronic health recordselon muskemailsemails infoencryptencrypted connectionsencryptionendgameenterenter sourceenterprise securityentertainment technologyentity bns34entriesentries httpenumerateeraseerroresp4etet exploitet infoet p2pet trojanet webserveretherratetproetpro trojaneu cyber policieseuropeevasion attevasion ta0005example domainexec bypassexfiltrationexpirationexpiration dateexploitexploitation activityexploitsourceexternal ipextr dataextra dataextractextref1 jlf9 movfailedfakedout threatfalsefastly errorff c0ff d5ff fffilefilerepmalwarefilesfiles cfiles domainfiles ipfiles locationfiles matchingfiles showfilesadobe cfinancefinance and insurancefinancial servicesfinancial technologyfindfind sfixed lineflagflag unitedflashflight protocolfooterfor privacyformformatformbook stealerfound cacheframingfrancefreight forwardingftp brute forcegamesgctigeckogeneral fullgermanygermany asnget httpget httpgetget zonagithubgooglegoogle safegovernment technologygraph treehackershackinghandlehashhasheshat serverheader valuehealth care and social assistancehealth information technologyhealthcare information systemshellohighhigh sthigher educationhistorical otxhistory httpshomehome assistanthome networkhos datahos hoshos hosthos hostnamehospital managementhosthostilehostinghostnamehostname addhostname enumerationhtml publichtml smugglinghtml_smugglinghttphttp attackhttp brute forcehttp headershttp hosthttp requesthttp scannerhupigonhx88x89hybridicelandicmp trafficidentity & access exploitationids detectionsietfdtd htmlinboundinbound connectioninc orgidinc usageinclude dataindicatorinfoinformation gatheringinformation ispinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectinjection activityinjection attacksinput validation bypassinstallinsurance carriers and related activitiesintelintellectual property lawintelligence agency surveillanceinternet of thingsintptrinvalid pointerinvalid urlinventory managementiociocsiosiot botnetiot devicesiot securityiot/ics attackiphoneipv4ipv4 addircirc nick commandirelandireland asnireland flagisis__elfisp charterisp hostnameit infrastructurejackpot pandajakuzjavascript cjaws webserverjournaljujuboxjumpk-12 educationkaijikawaii unicornkelihoskhtmllabellauncherlawlaw enforcement surveillancelaw practicelearnlegallegal consultinglegal researchlegal serviceslegal technologylehashless seeless whoislevel 3licenseline isplinuxlinux malwarelocallog4logistics technologylooklookuplowfilseattlelte allma mamacmaldocmalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware beaconmalware campaignmalware distributionmalware signingmalware sitemandatorymediamedia & entertainmentmedia centermedia distributionmedical servicesmediummedium riskmedium securitymetameta httpmetadata analysismexico unknownminocatmiraimirai botnetmirai elfmirai variantmitre attmobilemobile securitymobile threatmodify systemmodule loadmodules t1129moldova relatedmoldova unknownmontserratmovedmozimozillams windowsmsiemssql portmultimedia productionmutexesmvpower dvrnamename domainname legalname serversname tacticsnation-state activitynetherlandsnetherlands asnnetworknetwork attacksnetwork cnc beaconnetwork communicationnetwork enumerationnetwork intrusionnetwork namenetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynextnext associatednext httpnext relatednext yaranextraynidsnids alertno datano expirationnone indicatornone relatednoodle ratnorth americansonso groupnso relatednumberobjectobject movedodigicert incogoogle trustopenopen threatopenurl coperating systemoperating system securityoptoutor textoracleorg deutscheorg principalos versionource urlouserver caoutboundoutbound trafficoxfordp2ppacking t1045page urlpandapanel forumparagonpassive dnspassword attackpassword attackspastepatch managementpathpath traversalpatient carepattern matchpayment processingpcappe sectionpegasuspegasus relatedpeoplephishingphishing attackphishing bankpleaseplesk forumpornportpost httppost utcorepowershellpragmaprcpresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octprivate ipprocess detailsprocess injectionprocess t1543process32nextwprogramprojectprotocol exploitationprotocol h2psda ourpublic administrationpublic infrastructurepublic policypullpulse httppulse pulsespulse submitpulsespulses ipv4pulses nonepulses otxpulses urlpushpushdopybeapy cncpythonqueryquery typeransomransomwareraxrbprcerdpwrapreactreact2shellreadread creadsreads softwarereconnaissancerecord typerecord valueredacted forreferral urlrefreshregexpregional securityregulatory agenciesregulatory compliancerelatedrelated nidsrelated pulsesrelated tagsremote accessremote connectremote servicesrenosrequestrequest reviewresearchedresolverrorrestartresults aprresults augresults decresults febresults janresults junresults marretail tradereverse dnsrndcharrndhexrockrole titlerscsafe sitesama bussample hashsamplessamsungscams & fraudscan endpointsscan miraiscannerscans showscript domainsscript scriptscript urlsscripting attackssea psearchsearch hostsearch otxsecure serversecurity operationssecurity policysecurity tlsseen asnseen lastsegoe uiselfserverserver headerserver responseserversserviceset cookieshellshell uceshipping servicesshowshow techniqueshowingsignsignals mutexessite_redirectorsizeskynetslcc2sliversnojansoa nxdomainsocial engineeringsocial media securitysoftware developmentsoftware envoysoftware exploitationsoftware integritysoftware vulnerabilitiessonysouth koreaspamspanspawnsspigotsportsspywaresqlsqlite rollbackssh attackstarstatusstatus hostnamestealerstopstoragestreamstreaming servicesstringstringsstrongstylesubjectsuccesssuggessummarysupply chain attacksupply chain managementsuspsuspicious-udpsydneysyn scant1001t1003t1005t1011t1016.001t1018t1019t1021t1021.001t1021.006t1027t1027.002t1027.005t1030t1031t1036t1040t1041t1045t1046t1047t1049t1053t1055t1055.001t1057t1059t1059 veryt1059.001t1059.002t1059.003t1059.004t1059.006t1059.007t1060t1064t1068t1069.001t1069.002t1071t1071.001t1071.004t1076t1078t1078.004t1082t1083 readst1086t1088t1094t1098t1105t1110t1110.001t1110.002t1110.003t1110.004t1112t1114.002t1119t1129t1133t1140t1143t1147t1155t1176t1185t1189t1190t1192t1202t1203t1204.001t1204.002t1210t1218.001t1480t1480 executiont1486t1496t1497t1499.001t1499.002t1499.003t1543t1553.001t1553.004t1554.001t1554.003t1563t1563.002t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1573t1573.001t1583t1583.004t1584.005t1585.001t1587.001t1588t1589.001t1590.001t1595t1595.001t1595.002t1595.003t1596.001t1596.004t1598t1609ta0002 commandta0002 defenseta0003 createtag counttagstargeting databasetcp protocoltcp scantelekom agtelnet threattesla hackerstext cthreat actorthreat intelligencethreat preventionthrowtitletitle addedtitle logintitle metatls rsatlsv1tofseetoolstor analysistor nodetotaltraffic maskingtransportation managementtrending videostrojantrojan downloadertrojan featurestrojan malwaretrojandroppertsara brashearsttl valuetulachtypetype fixedtype indicatorudp connectionudp scanue codeoverlapunauthenticated accessunc5174unicodeunitedunited kingdomunited statesunixunknown nsunknown relatedunsafeupdated dateupdaterupnpurlsurls httpurls showusage typeuseruser executionvaluevalue addressverifyviewviprevirtoolvitrovmwarevshellvulnerability scanvuze btw32beapy cncwa statuswarehouse operationswealth managementweatherweb application attackweb application exploitweb application exploitationweb exploitationweb securityweb trafficwget commandwhoiswhois fieldwhois lookupwhois serverwhois showwin32 malwarewindirwindowswindows checkwindows createwindows malwarewindows ntwindows servicewinverwithoutwixworldwormwritewrite cwrite filex framex92xacxml titlexmrigyarayara detectionsyara rulezenboxzero click exploitzeuszinfoqzipcodezune

Activity Timeline

1 total obs
May 31May 31

Threat Activity Heatmap

· Peak: 2026-05-31
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
47
SIGNAL
Signal Score
47%
Confidence
11
Reports
First seenMay 28, 2021
Last seenMay 31, 2026
GeolocationIS
CountryIceland
LocationReykjavik, Capital Region
ASNAS50613
OrgThor DC
Coords65.0000, -18.0000

VirusTotal

Not checked

WHOIS

references
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt, https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182, https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf, https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/, https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/, https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell, https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far, https://www.cve.org/CVERecord?id=CVE-2025-55182, https://nvd.nist.gov/vuln/detail/CVE-2025-55182, https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/, https://corelight.com/blog/react2shell, Tesla Hackers | https://www.teslarati.com/spacex, Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint, 142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source, IDS Detections Win32/ZonaInstaller Install Beacon, https://www.google • https://ampcid.google.com/v1/publisher •’https://ampcid.google.com/v1/publisher:getClientId\, https://tagassistant.google.com/ • https://www.google-analytics.com/debug/bootstrap?id=, https://www.google-analytics.com/debug/bootstrap?id=\, https://stats.g.doubleclick.net/j/collect\ • https://tagassistant.google.com/ • https://www.google.com/ads/ga, https://www.google-analytics.com/gtm/js?id=\ • https://www.googletagmanager.com/gtag/js?id= •, https://www.googletagmanager.com/gtag/js?id=\ • https://www.google-analytics.com/gtm/js?id=, This is why our team tells a back story. It can and does happen to anyone., We apologize for so may typos and errors. We strive to do better at that., 192.168.1.1 - WOW! Use your old equipment in a non - residential environment, http://xn.com/ • www.xn--linkedinxn-6u6e.com • http://www.linkedin-xn.com/ • www.linkedin-xn.com, Powerful Exploit: https://otx.alienvault.com/indicator/file/ba32802bdd1f0b91cf8c667b94426d73ee654ba0, Mirai Botnet - *Inbound & Outbound connection, IDS Detections: *WGET Command Specifying Output in HTTP Headers, IDS Detections: *D-Link Devices Home Network Administration Protocol Command Execution, IDS Detections: *JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: *MVPower DVR Shell UCE *Mirai Variant User-Agent (Outbound), Yara : Yara Detections : SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf, Alerts : dead_host nids_exploit_alert nids_malware_alert persistency_initd network_icmp, Alerts : tcp_syn_scan nolookup_communication network_cnc_http network_http, Alerts : network_http_post nids_alert chmod_syscall writes_to_stdout, Other Mitre ATT&CK T1480 T1553.00 T1027.013 T1057 T1069.002 T1071 T1071.004, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://www.pornhub.com/video/search?search=tsara+brashears, http://www.anyxxxtube.net/search-porn/tsara-brashears, http://www.anyxxxtube.net/search-porn/tsara-brashears/, pornokind.vgt.pl • https://pornokind.vgt.pl • https://www.pornokind.vgt.pl • https://www.pornokind.vgt.pl/, pornlynx.com • www.pornhub.com • www.anyxxxtube.com, https://frostty12ice.info/ • https://lawhubh.info, Needs researching: http://lib.jerusalem.muni.il.il • https://lib.jerusalem.muni.il.il, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do, Kawaii-Unicorn.exe, IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector, High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly, High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access, Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process, Priority Alerts: enumerates_running_processes reads_self network_http, Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx, Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name, High Priority Alerts IDS: Backdoor.Darpapox/Jaku • CNAME CnC Beacon (WinVer 6.1), High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin • Adware.InstallCore.B Checkin, High Priority Alerts IDS: Arkei Stealer • Config Download Request Vidar/Arkei Stealer Client Data Upload • 192.157.56.140, High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin, High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA • 192.157.56.140, High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 • 192.157.56.140, High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller • 192.157.56.140, High Priority Alerts IDS: • 199.59.243.228, High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon • 199.59.243.228, High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install • 199.59.243.228, High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin • 199.59.243.228, High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE • 199.59.243.228, High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) • 199.59.243.228, High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check • 199.59.243.228, https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. • www.anyxxxtube.net •, ai-fairness-360.dev-lfprojects5.linuxfoundation.org •-ran-sc.dev-lfprojects5.linuxfoundation.org, [Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues…., [iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues, http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)], URL that may infect its visitors with malware. Last 4 references (DigitalMistica)], https://www.virustotal.com/graph/g2b2eded7ffda4113a585a6f7ebce8042400faf85792e4203b89d7af93e86589b, ISP: Charter Communications Inc Usage Type Fixed Line ISP, dnvrco-pub-iedge-vip.email.rr.com spectrum.com Denver, Colorado USA, dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02., Reverse DNS dnvrco-pub-iedge-vip.email.rr.com, Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e, IDS Detections: Suspicious double Server Header Possible Kelihos, IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header, telemetry-incoming.r53-2.services.mozilla.com, https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel, http://www.door.net/ARISBE/arisbe.htm, talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov, https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl, https://otx.alienvault.com/pulse/669e42fea462f0c8f8db32a1, Antivirus Detections ELF:Hajime-Q\ [Trj] , Unix.Dropper.Botnet-6566040-0, Mirai, IDS Detections: WGET Command Specifying Output in HTTP Headers | MVPower DVR Shell UCE | Eir D1000 Modem CWMP Exploit RCE, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution | Mirai Variant User-Agent (Outbound), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution | Outbound GPON Authentication Bypass Attempt (CVE-2018-10561), IDS Detections: Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound | Netgear DGN Remote Command Execution, IDS Detections: Eir D1000 Modem CWMP Exploit RCE, Yara Detections: SUSP_XORed_Mozilla , Linux_MiningSoftware , is__elf, https://redpiranha.net, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_32bit.yara, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_64bit.yara, https://github.com/chronicle/GCTI/tree/main/YARA/CobaltStrike, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara, https://www.virustotal.com/gui/file/018ef51a2af287a3d665e5057e6367eb0a5d5ef5a807af6c255eba26d20b4ccf/community, Axelo - vaet.com.json, Axelo - Robtex.com.csv, https://www.virustotal.com/gui/collection/threatfox_win_cobalt_strike, ThreatFox - Raspberry Robin.stix, Axelo - Stolec kradnie krypto.stix, ThreatFox - BRATA.stix, ThreatFox - Sliver.stix, ThreatFox - RM3.stix, https://github.com/bartblaze/Yara-rules/blob/master/rules/hacktools/RDPWrap.yar, Axelo - Robtex.com.stix, cobalt.json, ThreatFox - IRATA.stix, ThreatFox - Sorillus RAT.stix, ThreatFox - FTCODE.stix, ThreatFox - Nymaim.stix, ThreatFox - Erbium Stealer.stix, ThreatFox - Brute Ratel C4.stix, ThreatFox - Lumma Stealer.stix, ThreatFox - PrivateLoader.stix, https://1275.ru/ioc/1049/gs-130-mirai-botnet-iocs/?from=otx_130

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 14 days ago
Appeared in 11 threat reports