IOC Radar
IPMediumSignal 78/100

85.234.91.247

Location
United KingdomUnited Kingdom
Chester, WLS
ASN
AS59437
G-Core Labs S.A
First Seen
Jan 5, 2026
Last Seen
May 14, 2026
Jan 5
First Seen
166d ago
May 14
Last Seen
36d ago
8
Reports
source reports
78%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
78%
Signal Score
78 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

54 techniques

Network Information

CountryGBUnited Kingdom
RegionChester, WLS
ASNAS59437
OrganizationG-Core Labs S.A

IP Category

Proxy
Proxy server

Feed Intelligence Summary

8 reports78% confidence
8
Source reports
78%
Confidence score
Category tags
abusech-threatfox-c2cabuseipdbactive scanactive scanningaptasiaasyncratauto-generatedauto-updatedbad reputationblocked-ipsbotnet activitybrand weaponizationbrute forcebrute force attackc2c2 infrastructurec2-infrastructurecertchinacobaltcobalt strikecommand & controlcommand and controlcredential accesscredential harvestingcredential stuffingcryptocurrencycryptocurrency threatscryptojackingcyber threat advisorycyber threatsdata encryptiondata exfiltrationdata store exposureddosddos attacksdenial of serviceelectronic health recordsencryptioneuropeeurope/asiaexploitation activityexploited hostextortionfinancefinancial servicesgbgermanygithubhackinghealth care and social assistancehealth information technologyhealthcare information systemshong konghospital managementhttpsidentity & access exploitationindicatorindicators of compromiseinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinjection activityinternet of thingsiociocsiot botnetiot securityiot targetediot/ics attackisp-reputationit infrastructurekimwolflummastealermalicious ip activitymalicious softwaremalwaremalware analysismedical servicesmirai botnetmitre-attacknetworknetwork probingnorth americaosintosint-volleypassword attackspatient carepattern-32pattern-38phishingphishing attackprocess injectionproxyransomwareransomware threat intelligencerat activityreconnaissanceredlineremote access toolresearchedresidential proxyresource hijackingscams & fraudscannerself-signed certificateself-signed certificatessingaporesliversocial engineeringsoftware developmentsslssl certificatesssl-enrichmentssl/tls enrichmentstealcstix 2.1stix-2.1supply chain attacksupply-chainsystem disruptiont1016t1016.001t1027t1036.006t1041t1053t1055t1056.001t1059t1059.001t1071t1071.001t1078t1090t1102t1105t1110t1110.001t1110.002t1110.003t1110.004t1140t1189t1190t1195.002t1203t1204t1204.002t1219t1486t1490t1496t1499.001t1499.002t1547t1547.001t1555.003t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1573t1583.006t1585t1586t1587.001t1590.001t1595t1595.001t1595.002t1595.003team cymruthreat actorthreat actor ttpsthreat-intelligencethreatfox feedtor nodeturkeyunited kingdomunited statesunknown malwareunknown-malwarevalleyratvulnerability scanweb application attackweb exploitation

Activity Timeline

1 total obs
May 14May 14

Threat Activity Heatmap

· Peak: 2026-05-14
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
78
SIGNAL
Signal Score
78%
Confidence
8
Reports
First seenJan 5, 2026
Last seenMay 14, 2026
GeolocationGB
CountryUnited Kingdom
LocationChester, WLS
ASNAS59437
OrgG-Core Labs S.A
Coords51.6510, -3.0147
Proxy

VirusTotal

Not checked

WHOIS

description
ThreatFox: Mirai - botnet_cc
raw
inetnum: 85.234.64.0 - 85.234.95.255 netname: LU-GCORELABS-20050428 country: DE org: ORG-WIG6-RIPE admin-c: LA5122-RIPE tech-c: LA5122-RIPE status: ALLOCATED PA geoloc: 50.144290 8.557560 mnt-by: GCL1-MNT mnt-by: RIPE-NCC-HM-MNT created: 2025-02-19T08:23:58Z last-modified: 2025-12-02T17:48:52Z source: RIPE organisation: ORG-WIG6-RIPE org-name: G-Core Labs S.A. country: LU org-type: LIR address: 2-4, rue Edmond Reuter address: L-5326 address: Contern address: LUXEMBOURG phone: +375293666245 abuse-c: AC23417-RIPE mnt-ref: GCL1-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: GCL1-MNT mnt-by: RIPE-NCC-HM-MNT created: 2012-12-05T13:21:56Z last-modified: 2023-08-02T08:17:23Z source: RIPE # Filtered person: LIR Admin address: G-Core Labs S.A. address: 2 Rue Edmond Reuter address: 5326 Contern phone: +35220880507 nic-hdl: LA5122-RIPE mnt-by: GCL1-MNT created: 2012-12-05T15:05:34Z last-modified: 2023-07-17T19:38:48Z source: RIPE # Filtered route: 85.234.91.0/24 descr: GCL-85-234-91-0-24 origin: AS199524 mnt-by: GCL1-MNT created: 2025-02-19T17:39:22Z last-modified: 2025-02-19T17:39:22Z source: RIPE route: 85.234.91.0/24 descr: GCL-85-234-91-0-24 origin: AS202422 mnt-by: GCL1-MNT created: 2025-02-19T17:39:33Z last-modified: 2025-02-19T17:39:33Z source: RIPE route: 85.234.91.0/24 descr: GCL-85-234-91-0-24 origin: AS59437 mnt-by: GCL1-MNT created: 2025-07-23T15:30:09Z last-modified: 2025-07-23T15:30:09Z source: RIPE
references
https://analytics.dugganusa.com/api/v1/stix-feed, https://www.dugganusa.com, https://analytics.dugganusa.com/v2, https://www.dugganusa.com/post/from-1-to-5-how-we-mapped-a-post-operation-endgame-c2-infrastructure, https://www.dugganusa.com/post/we-found-their-server-pattern-38-c2-infrastructure-exposed, https://www.dugganusa.com/post/pattern-43-the-password-is-in-the-filename, https://www.dugganusa.com/post/stealc-rhadamanthys-anatomy-of-a-github-supply-chain-infostealer, https://www.dugganusa.com/post/pattern-38-github-supply-chain-attacks-use-stolen-developer-credentials-from-2023-breaches, https://analytics.dugganusa.com/api/v1/stix-feed/v2, https://threatfox.abuse.ch

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 months ago · Last seen 1 month ago
Appeared in 8 threat reports