DomainHighVerifiedSignal 43/100

`api.cloudtrafficservice.com`

First Seen

Feb 4, 2026

Last Seen

Feb 19, 2026

Feb 4

First Seen

139d ago

Feb 19

Last Seen

123d ago

Reports

source reports

43%

Confidence

high

Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

43%

Signal Score

43 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

74 techniques

Feed Intelligence Summary

5 reports43% confidence

Source reports

43%

Confidence score

Category tags

abuse.ch threatfoxabuse.ch threatfox apiabusech-threatfox-c2caccount brute forceactive scanningamaranth-dragonanomalous activityapplication attackaptapt28apt29auto-generatedautomated analysisautomated attackautomated huntautomated scanautomated sweepautomated threatautomated-analysisautomated-huntautomated_attackbde 85beaconblock-or-filter-listbotnet infectionbrute forcebrute force attackbrute force attacksbrute force attemptbrute force attemptsbrute_forcec2c2 activityc2 activity detectedc2 channelc2 communicationc2 domainc2 frameworkc2 infrastructurec2 serverc2-frameworkc2-infrastructurec2_activityc2_frameworkcnccobaltcobalt groupcobalt strikecobalt strike activitycobalt-strikecobalt-strike-beaconcobaltstrikecode executioncommand and controlcommand executioncommand-and-controlcommunication protocolcompromise assessmentcompromised credentialscompromised hostcompromised host communicationcompromised infrastructure detectioncompromised systemcompromised_credentialscontactcredential accesscredential stealercredential stuffingcredential-accesscredential-stealingcs beaconcyber threatsdata encryptiondata exfiltrationdata theftdata-theftdcratddosdeimosc2denial of servicednsduggan usadugganusa-researcheurope/asiaexfiltrationexploitexternal communicationfin7financefinancial servicesftpftp brute forceftp brute-forceftp bruteforceftp_brute_forceftp_bruteforcehttp activityhttp brute forcehttp bruteforcehttp c2http communicationhttp probinghttp scannerhttp scanninghttp_scanhttp_scanninghttpshttps scanninghttps_scanhttps_scanningindicatorindicators of compromiseinfrastructure acquisitionreconnaissanceinitial accessiociocsip-addressipv4lateral movementlateral_movementmalicious activitymalicious domainmalicious framework activitymalicious linksmalicious network activitymalicious softwaremalwaremalware activitymalware analysismalware beaconmalware campaignmalware campaign activitymalware campaign analysismalware communicationmalware detectionmalware distributionmalware distribution campaignmalware familymalware implantmalware indicatorsmalware: cobalt strikemalware_communicationmalware_detectedmalware_detectionmeterpreternetworknetwork attacksnetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork propagationnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork security monitoringnetwork trafficnetwork traffic analysisnetwork-indicatorsnetwork_iocnjratnotepad++novel iocnovel threatnovel-iocnovel_iocosintosint-volleypassword attackspassword_attackpattern 49pattern-49payload deliverypayload executionphishingportpossible apt activitypossible botnet activitypossible data exfiltrationpossible malwarepossible_botnetpossible_compromisepossible_exfiltrationpost-exploitationpotential compromisepotential data exfiltrationpotential exploitpotential malware infectionprecogprecog detectedprecog engineprocess injectionprotocol exploitationrapid7ratrat activityrdp_brute_forcerdp_bruteforcereconnaissancereflective dll injectionremcos trojanremote accessremote access attemptremote access toolremote access trojanremote servicesremote-accessremote-access-toolremote_accessresearchedrussiasecurity operationsself-signed certificateself-signed certificatesself-signed-certificateservicesign upsliversmb scanningsmtpsmtp brute forcesmtp probingsoftware exploitationssh attackssh bruteforcessh_brute_forcessh_bruteforcesslssl/tlsstealcstealerstixsupply chain compromisesystembct1003t1003.001t1005t1016t1018t1021t1021.001t1021.002t1027t1040t1041t1046t1047t1053t1055t1056.001t1059t1059.001t1059.003t1068t1071t1071.001t1076t1077t1078t1083t1090t1090.001t1095t1105t1110t1110.001t1110.002t1110.003t1110.004t1190t1203t1204t1204.001t1204.002t1210t1219t1486t1499.001t1499.002t1499.003t1528t1539t1547t1555.003t1562.001t1563t1565t1566t1566.001t1566.003t1568t1568.002t1569t1569.002t1572t1573t1573.001t1583t1583.001t1583.004t1587.001t1588t1589t1590.001t1595t1595.001t1595.002t1595.003tcp protocoltcp scantelnet threatthreat actorthreat intelligencethreat intelligence feedthreatfox apiudp scanunauthorized accessunauthorized access attemptunidentified threat actorunknown malwareunknown stealerunknown threat actorunknown-malwareunknown-stealervalidinvidarweb securityweb trafficxworm

Activity Timeline

1 total obs

Feb 19Feb 19

Threat Activity Heatmap

· Peak: 2026-02-19

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Dormant

Intelligence SummaryAI Generated

The domain **api.cloudtrafficservice.com** has been identified as a significant indicator of compromise (IOC) associated with multiple malicious activities. First observed on February

Threat ScoreMedium Risk

SIGNAL

Signal Score

43%

Confidence

Reports

First seenFeb 4, 2026

Last seenFeb 19, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

description: The cyber attack involving Notepad++ appears to have exploited vulnerabilities in the hosting infrastructure, specifically through a provider linked to Hostinger. The attackers redirected users to a malicious server, enabling them to deliver compromised updates. Key elements of the attack include multiple IP addresses associated with the Command and Control (C2) domain, specifically 95.179.213.0, which was the source of the initial malicious file download, and 61.4.102.97, tied to the http://api.skycloudcenter.com domain that served as the C2 provider over HTTPS. Malicious operations utilized Cobalt Strike, with the beacon domain http://api.wiresguard.com operational since at least June 2025 and consistently hosted on Cloudflare. The Cobalt Strike beacon was confirmed to use the IP address 59.110.7.32 on port 8880, with additional analysis indicating that it remained accessible until January 2026.

`api.cloudtrafficservice.com`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey