DomainHighVerifiedSignal 55/100

`api.wlpz.vip`

Location

Peru

First Seen

Jun 22, 2025

Last Seen

Jul 9, 2025

Jun 22

First Seen

366d ago

Jul 9

Last Seen

350d ago

Reports

source reports

55%

Confidence

high

1/91

VirusTotal

detections

Found in 4 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

55%

Signal Score

55 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

225 techniques

Feed Intelligence Summary

4 reports55% confidence

Source reports

55%

Confidence score

Category tags

.milaaaaabuseacademic institutionsacceptaccept encodingaccount compromiseaccount securityaclsactiveactive relatedactive scanningadded activeaddressaddress asaddress rangeadministrative accessadult content associationadvanced persistent threatafricaafrica flagahmannai generatedaigakamaialertsalex karpalfreyalienvault_ransomwareall ipv4allocation typeallyamazonamazon s3amazons3 tlsamericaamerica asnamerica flaganalysis dateanalysis tipanonsanonsecbotnetapex domainapnicapnic whoisappearance codeappleaptapt 1apt grouparc filearialascii textasiaasnoneassociated urlsatrosattackauthoritiesautorunav detectionsavg clamavazure rsab documentb scriptb stylesheetbackdoorbad loginbad requestbad trafficbelgium belgiumbinary filebingbodybody doctypeboobs130432 novbotnetbrandbrian sabeybrkzmjibrowse tobrute forcebusiness smallbusyboxbutt piratesc2cabinet archivecachecache controlcamerascamscapturecdncdn amazoncertificate analysischeckschopperchristopher p. ahmannchromecidrcisco devicecisco umbrellacitycity sancivilcivil servicescivil societycivilian targetingck idck matrixck techniqueclassclick-based attackclosecloud computingcloud migrationcloud securitycloud servicescloud storagecloudfrontcnamecnccnc activitycni safecnmicrosoft eccco phancode executioncode injectioncoinbasecartelcolognecommandcommand and controlcommand executioncommunication protocolcommunication technologiescomodo cacompany limitedcompromised credentialscompromised routercompromised sitecompromised_site_redirector_fromcharcodecomspecconnected devicescontacted hostscontent typecontrolcontrol ta0011copy md5copy sha1copy sha256corecorporate lawcorporationcouncilcountrycps httpscre pulcreation datecredential accesscredential harvestingcredential theftcrlf linecrowdsourced informationcrypcti98current dnscus subjectcvecyber crimecyberstalking techniquescybotaczech republicdarkdark nexusdark webdatadata accessdata breachdata breach attemptdata copyingdata encryptiondata exfiltrationdata exfiltration indicatorsdata recoverydata transferdata udata uploadddosddos attacksdeaddeath threatsdefamation campaigndefense evasiondefense-evasiondeletedelete cdelphidemodenverdepartment of defensedetail domaindetailsdevelopment attdevice managementdigital culturedigital pressdigital signaturedirectdisinformation campaigndisk wipingdistributed attacksdiv divdll windowsdllsdnsdnssecdockdoddomainpath namedomains topdotnetdoxingdrivedrive drivedropdrop ordropperdynamicdynamic loadingdynamic_contentdynamicloadereb e1eb e8ebeeeedgeeducational resourceseducational serviceseducational technologyee emeee fceeeeeeeee eeeeeeeeeeeeeeeeefee eeefeeeheeeelectronic health recordselfelon muskemailsemotetemotet cnc activityempencryptencryptionengine dllenglishenricenterenter scenter sourceenterprise networkingenterprise securityentity amazon4entriesentries httperroret infoet policyet telnetetag weulaeuropeeva lisaeva reimerevasionexclude suggesexcluded icexe uploadexecutable downloadexecution attexpirationexpiration dateexpiroexploitexploitationextortionextr includeextraextri dataf0 fffailedfailurefaithfake pinterestfalsefemme fatalesff bbff d5ff fffihafilefilehash-md5filehash-sha256fileless malwarefilesfiles domainfiles ipfiles locationfiles matchingfiles relatedfindfind sfind suggestedfind sugifingerprintingfireeyefirmware infectionfirmware modificationfirstfirst pqcflagflag unitedflorence coloradofor privacyfor: aigfor: concentrafor: quasi governmentfor: workers compensationformformatfoundfoundryframe b830freshgat objectgay mangay porngaz1geckogenericgeneric httpgermanyget httpget nagithubgithub httpsgooglegoogle drivegoogle safegov porngovernment technologygpl telnetgraph summarygriftergse compromisedguardh5 data centerhackershall renderhandlehangover_appinbothead microsofthead titlehealth care and social assistancehealth information technologyhealthcare information systemshelixhelvetica neuehelvetica segoehgnvastlaizhide sampleshighhigh defensehigher educationhijacker: brian sabeyhired hit menhistorical sslhit menho chihoney pothoney trapshospital managementhostinghostmaster namehostname addhostname enumerationhrefhtmlhtml documenthttp attackhttp scannerhttpshttps httphwp supporthybridhyundaiiamrobertibwavcmicmp trafficids detectionsiframeiframe functionillegalillegal activity allegationsimageincludeinclude reviewincluded i0india unknownindicatorindonesiaindustrial iotindustry and commerceinfected deviceinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectinput validation bypassintelintellectual property lawinternet of thingsinvalid pointerinvalid urlinvestigacin yiociocsiosios malwareiot analyticsiot applicationsiot botnetiot platformsiot securityiot/ics attackipasns ipiptvipv4ipv4 addireland flagireland unknownisrael israelit infrastructureja3sjeffrey reimerjeffrey scottjsl objectjsonk-12 educationkelihoskhtmlkns dropperkorealaw christopherlaw enforcement darklaw practicelazarus grouplearnlearn moreleftlegacylegal abuselegal consultinglegal researchlegal serviceslegal technologylehashlesslevellg2enlifelimitedlimited stlinklink initiallinks apexlinuxlinux malwarelocallockbitlooklookupslow risklowfiltda meluptdaizzlm. brian sabeymacmainmalicious activitymalicious downloadmalicious emailmalicious imagemalicious linksmalicious powershell activitymalicious softwaremalicious urlsmalwaremalware distributionmalware indicatorsmalware signingmarkmonitormarkmonitor incmarkusmass surveillancematch infomediamedia centermedia defensemedical device securitymedical servicesmediummelikamerits fakemetadata analysismexicanmexicomichelin lazy kmicrosoft azuremicrosoft edgemilehighmedia relatedminh cityminimal headersmirai botnetmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobility crmodelmodule loadmonitored targetmontano markmovedmozillampressms defendermsdefender marmsiemsilmulti-cloud managementmuscatmusicnamename cloudflarename datename servername serversname tacticsnamed pipenanocore rat infectionnc000000 upnetaceanetherlandsnetworknetwork infrastructurenetwork intrusion attemptnetwork namenetwork probingnetwork scanningnetwork securitynetwork trafficnetwork traffic analysisnetwork_icmpnextnext associatednext penhs trustsnid valuenivdortnjratno expirationno such agencynone alertsnorth americansa domainnsa domain spoofingnso groupntlm authenticationnumberobserved getoc0006 httpogoogle trustoilok serverollydbg ollydbgomicrosoft cusonlineonlvopenurl coperating systemoperating system securityopinionor droporg cloudflareosintpagepalantir doingpassive dnspassive dns analysispasswordpatch managementpath traversalpatient carepattern matchpdfpe injectionpegasuspegasus projectpersonal informationperupeter theilphishingphishing attackphishing attemptsphishing emlpho exploitpleasepng imagepolandpoland asnpoland based activitypoland unknownpolicepolicypornportpostpostal codepotential codepotential data breachpragmapraiopresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprimary requestprinkprivacy adminprivacy techprivacy violationprivilege escalationprlaproblemprocess detailsprocess injectionprocess32nextwprocess_martianprogram gatewayprojectprometheus intelligence technologyprotectprotocol exploitationprotocol t1071province hcmprscpsychological manipulationpublic administrationpublic infrastructurepublic policypulse otxpulse pulsespulse submitpulsespulses otxpulses urlpushpwsqchrkquantum roomsquasiquasi governmentracismramsomransomransomwareransomware leakratread creadsreconnaissancerecord valueredacted forredpacket securityredpacketsecurityref brefreshregis universityregulatory agenciesregulatory compliancereimer dptreimer suspectrelated nidsrelated pulsesrelated tagsremote accessremote access trojanremote servicesreputation damagerequestrequest blockedresearchedresolver domainresource pathresources whoisresponse coderestartresults febresults novreverse dnsreview excludereview iocrgbarich contentrightrirsrobotorole titlersdsq jfurunning serversabey typesam somaliasammiesample analysissaudi arabiascanning activityscans recordscott reimerscript scriptscript urlsscripting attacksse httpssearchsearch enginesecond stage payloadsecurity operationsseiko epsonselect fileselfserver caserver nginxserver responseserversserviceserving ipseverity attsharedshowshow processshow techniqueshowingsigned filesilence malwaresimplesizeslcc2smart assemblysmart devicessmoke loadersmssms exploitsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware integritysoftware vulnerabilitiessouth africasouth americaspanspawnsspyspycamssidssl certificatestarfieldstatestate of colorado.state-promovedstate-sponsoredstatusstatus codestncphpphp morestorage companystrategystreetstringsstrongstudystwa lredmondsub domainsuck my nipssuggessummarysurveillance technologyswedensweetheartvideo relatedsystemsystem disruptiont1003t1003.001t1003.004t1004t1005t1012t1016t1018t1020t1021t1021.001t1021.006t1023t1027t1027.013 encrypted/encodedt1030t1031t1035t1035 servicet1036t1036.004t1036.005t1037t1037.003t1039t1040t1041t1045t1053t1055t1055 jsevalt1056t1056.003t1057t1059t1059.001t1059.004t1059.007t1060t1062t1063t1064t1068t1069t1069.001t1069.002t1070t1071t1071.001t1071.003t1071.004t1076t1078t1078.004t1080t1082t1083t1084t1086t1087t1087.003t1088t1089t1090t1091t1098t1102t1105t1106t1110t1110.001t1110.002t1112t1113t1114t1119t1125t1129t1130t1132t1133t1140t1143t1147t1155t1156t1158t1176t1179t1179 hookingt1180t1185t1187t1189t1190t1192t1193t1194t1197t1199t1203t1204t1204.001t1204.002t1204.003t1205t1210t1211t1212t1480t1480 executiont1485t1486t1490t1491t1491.001t1495t1496t1497t1499.001t1499.002t1499.003t1505t1518t1518.001t1528t1529t1530t1534t1539t1543t1546t1548t1552t1553t1553.002t1553.003t1554.001t1554.003t1555t1556t1557t1561t1562t1562.001t1562.004t1562.008t1564t1564.001t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.002t1568t1568.002t1569t1571t1573t1573 severityt1574t1578t1580t1583t1583.001t1583.005t1583.006t1584t1584.005t1585t1586t1587t1587.001t1587.003t1588t1589t1589.001t1589.002t1590t1590 gathert1590.001t1591t1592t1592.004t1593t1594t1595t1595.001t1595.002t1595.003t1596t1596.001t1596.004t1597t1598t1598.003t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666tag managertagstags nonetamtargeted spyware campaigntargeted-attackstelecom servicestelecommunicationstelnet logintelnet threattempletext dragtgt sessionthreatthreat actorthreat intelligencethreat levelthreatstime stampingtimestamp inputtitletitle addedtitle headtlstls handshaketls issuingtlsv1toolstop destinationtop sourcetortor analysistotaltownsend sttraceback mantrapstreecetreece alfreytrojan malwaretrojanagenttrojandroppertrue pragmatry drivetsaratsara brashearstulachtwittertypetype indicatortype mimetypetype nametype opastetype pdftypes ofui arialuk governmentukraineumbrella rankunicodeunicode textuniqueunique tldunitedunited statesunknown cnameunknown nsunknown soaupdate secureupdaterurlsurls serverurls showus creationusa windowsuser agentuser executionutc amazonutc googleutf8 textutf8 unicodeuwlusjbvalid signature. revoked.valuevalue statusvaryververdanaverdictverifyvgt.pl relatedvictim networkvideovietnamvirlockvirtoolvirustotal apiwannacry attackwarningwdigestweb application exploitationweb exploitationweb securityweb trafficwelcomewhois informationwhois registrarwhois serverwifi passwordwillwin32 malwarewin32mydoom novwindirwindowwindows malwarewindows modulewindows nativewindows ntwmsspacer.gifworkers compensationwormwp enginewritewrite cx cachexportxservery.a.s.y013yarayara detectionsyara rulezero click exploitzero-day exploitzqwfztj

Activity Timeline

1 total obs

Jul 9Jul 9

Threat Activity Heatmap

· Peak: 2025-07-09

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Dormant

Intelligence SummaryAI Generated

The domain **api.wlpz.vip** has been identified as a critical indicator of compromise (IOC) associated with multiple cyber threats originating from Peru. First observed on June

Threat ScoreMedium Risk

SIGNAL

Signal Score

55%

Confidence

Reports

First seenJun 22, 2025

Last seenJul 9, 2025

Verified IOC

VirusTotal

1/ 91vendors flagged

1% detection rateJun 10, 2026

WHOIS

registrar: Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn)
description: Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
raw: Creation Date: 2021-11-12T14:14:34Z DNSSEC: unsigned Domain Name: wlpz.vip Domain Status: ok https://icann.org/epp#ok Name Server: dns27.hichina.com Name Server: dns28.hichina.com Registrant City: 1f8f4166599d23ee Registrant Country: CN Registrant Email: f651612a2f356ad3s@ Registrant Fax Ext: 1f8f4166599d23ee Registrant Fax: 1f8f4166599d23ee Registrant Name: 1f8f4166599d23ee Registrant Organization: 839601078b439925 Registrant Phone Ext: 1f8f4166599d23ee Registrant Phone: 1f8f4166599d23ee Registrant Postal Code: 1f8f4166599d23ee Registrant State/Province: 5c98a095ca800895 Registrant Street: 1f8f4166599d23ee Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +86.95187 Registrar IANA ID: 1599 Registrar URL: www.net.cn Registrar WHOIS Server: whois.aliyun.com Registrar: Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn) Registry Domain ID: REDACTED FOR PRIVACY Registry Expiry Date: 2025-11-12T14:14:34Z Registry Registrant ID: REDACTED FOR PRIVACY Registry Tech ID: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Updated Date: 2024-06-13T03:10:24Z

`api.wlpz.vip`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey