IOC Radar
DomainMediumSignal 50/100

arena.ai

Location
AnguillaAnguilla
First Seen
May 30, 2026
Last Seen
Jun 3, 2026
May 30
First Seen
12d ago
Jun 3
Last Seen
8d ago
4
Reports
source reports
50%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
50%
Signal Score
50 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

31 techniques

Feed Intelligence Summary

4 reports50% confidence
4
Source reports
50%
Confidence score
Category tags
.aia50 dataacceptactive scanaddress rangeadult contentadvanced microadversarial attacksai reportalertsall ipv4allocation typealone emailamazon dataamazonawsamerica asnamerica flaganalysis dateanguillaapplayerappleapple iosappleremotesupportarmadilloascii textauthenticationav detectionav detectionsavast avgbackdoorbelizebelize unknownbotnet activitybrute forcebuildidca ocspcamscheckin genericchromecidrck idck matrixclickcloud infrastructurecnmicrosoft tlscode signingcommandcommand & controlcommand decodecomspeccontacted domainscontent lengthcontent typecopycountrycreation datecreato touccsc corporatecursorcursor agentsd4n timestampd8n timestampdatadata uploaddebuggingdefense evasiondelphidigice rsadiscovery attdns attackdomainsdynamicloadereb e1ee fcelfelf executableelf infoelf64elf64 operationemailsencryptencryptionenter scentity adsn1entrieserroret httpexe uploadexec amd64exec amd6464executable fileexecution attexpimexpiresfriexploitexploitation activityextr dataextraextra dataextrac dataextraction dataextre dataextri dataf0 fff7 b9failedfalseff bbff d5ff fffilesflagflagsformatfull reportsg2 rsagandi sasgeneric httpgermany as8560get httpgmbhgmtngo binarygooglegrok xgroup indiaguardhacktool codehandlehashes oheader elf64helphid ivhighhistorical sslhosthostn urlhttp exehwp supportidentity & access exploitationids detectionsinclude reviewindicatorinjectioninjection activityinput threatinteliosiot securityipv4ja3 digestslearnlevellevel analysislinuxlizardsquadloadslocallog idlogmeinlow risklowfimadagascarmal_elf_systembcmal_elf_systembc_ratmalwaremarkmonitormarkusmedia centermediummetamiraimitre attmobile threatmodelmodify systemmovedmrasnms windowsmsien httpsname logmeinname serversname tacticsnamecheap incnetherlands asnnetworknetwork namenorth americanoteo metadataobserved dnsobserved rmmocspoffset sizeorg logmeinoutbound yarapathpattern matchpe filepe32 executablepegasuspegasus relatedphishingpleaseportpost httppost napresent junprivate limitedprocessprocess t1064pushqnapcryptqueryransomransomwareratratiorecord valueremotelyanywhereresearchedreverse dnsrmm domainsalfordsc datase datasearchsectigo limitedsectigo rsasecureselfself-deleteserver caserversservice scanservice-scansh certificshowsigning defenseslcc2smoke loadersmtpspawnsssl certificatestackstop typstringsstripchatstrtabstwasummarysummer stsweflagsystembcsysvt1027t1045t1055t1057t1060t1063t1064t1069t1069.002t1071t1071.001t1071.004t1105t1113t1119t1129t1140t1480t1480.002t1518t1518.001t1543t1543 privilet1543 systemdt1543.002t1547t1553t1553.002t1568t1568.002t1583t1583.001t1587.001ta0004 crtechnir createtelhashtestpagingthreat actortitletitle errortls snitls webtop destinationtop sourcetor nodetracetrojantrojandroppertwittertwitter spywaretwitter vtflooderu extractiounitedunited statesunixunknown nsupload inboundurlsusa windowsv execvercelvulnerability scanwhois serverwhois showwin32cuegoe aprwin32cve aprwin32cve yarawindirwindows ntwritewrite cx msedgex poweredx vercelyandexyara detectionsyara rule

Activity Timeline

1 total obs
Jun 3Jun 3

Threat Activity Heatmap

· Peak: 2026-06-03
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
50
SIGNAL
Signal Score
50%
Confidence
4
Reports
First seenMay 30, 2026
Last seenJun 3, 2026

VirusTotal

Not checked

WHOIS

registrar
NAMECHEAP INC
description
"Living off the Land" Takeover (LogMeIn.com)“ INCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. I’m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well. Thank you.
domain rank
-1
raw
Admin City: Reykjavik Admin Country: IS Admin Email: [email protected] Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Postal Code: 101 Admin State/Province: Capital Region Creation Date: 2017-12-15T22:10:54.00Z Creation Date: 2017-12-15T22:10:54Z DNSSEC: unsigned Domain Name: arena.ai Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain name: arena.ai Name Server: joel.ns.cloudflare.com Name Server: marge.ns.cloudflare.com Registrant City: ddbf76e4e8cee320 Registrant Country: IS Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: 37bfbc24cafea5d2 Registrant Organization: 4b7a0912c26a13e2 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 1c9a7bcdeaf95e9f Registrant Postal Code: f206c9d9737ad45d Registrant State/Province: 3e0204199d8ebf9c Registrant Street: c6523241936df1ba Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.9854014545 Registrar IANA ID: 1068 Registrar Registration Expiration Date: 2028-05-03T22:10:54.00Z Registrar URL: http://www.namecheap.com Registrar URL: https://www.namecheap.com/ Registrar WHOIS Server: whois.namecheap.com Registrar: NAMECHEAP INC Registrar: NameCheap, Inc. Registry Admin ID: 362c50b69d20453b96cf1bc2849b9185-DONUTS Registry Domain ID: adb85dd2bcbe4029807812c55a1a18a6-DONUTS Registry Expiry Date: 2028-05-03T22:10:54Z Registry Registrant ID: 5a0a4d1642d64d9a838d2d5950252a35-DONUTS Registry Tech ID: 24fda7a078614d6e94d56c5cb4b0c81c-DONUTS Tech City: Reykjavik Tech Country: IS Tech Email: [email protected] Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Postal Code: 101 Tech State/Province: Capital Region Updated Date: 2025-09-29T15:17:42.16Z Updated Date: 2025-10-17T19:57:46Z
references
https://www.logmein.com/products/resolve • http://devices-iot.console.gotoresolve.com/, https://adservice.google.com.uy/clk • adservice.google.com.uy, Amazonaws.com • Amazon.com, screenmaxxxing.com • wiki.xxkcamffk.cc • playfoundermode.com, https://www.anyxxxtube.net/search-porn/tsara-brashears/ • www.anyxxxtube.net, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, 103.246.145.111 • http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel, 13.107.226.70 • 13.107.253.70 - Malware Hosting, http://212.33.237.86/images/1/report.php, http://watchhers.net/index.php, remoteexecution-runner-api.services.gotoresolve.com, firebaseremoteconfig.googleapis.com, alerts-frontend-api-fd-stage.services-stage.gotoresolve.com, alerts-monitor-api-fd-prodeu.services.gotoresolve.com, testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1, Yara Detections: is__elf, IP’s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206, Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com, Names: testpaging upof6w.exe, Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info, https://cdn.console.gotoresolve.com/applet, Crowdsourced Signa: Matches rule Suspicious Outbound SMTP, Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced), Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60, Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com), Matches rule ET INFO External IP Check (checkip .amazonaws .com), ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX), Matches rule SURICATA Applayer Detect protocol only one direction, SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->, to act as their human-controlled, "living off the land" command station., Attack ChainThreat actors chain these three specific components together to bypass traditional ->, security filters:[Quant Script (Initial Drop)] ➔ [SystemBC (SOCKS5/Tor Tunnel)] ➔, [LogMeIn.com (Legitimate Remote Access)] ➔ [Ransomware], RaaS attack designed to deploy ransomware against ‘high value’ targets or corporations., In this specific attack chain, the threat actors use the Quant Loader script for initial entry,, The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file., An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection, by pulling its primary files over public SMB shares., The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC., SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel., This lets the threat actor route malicious command traffic into the local corporate network undetected., Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software., Because LogMeIn is a legitimate remote management tool used by actual IT departments,, its outbound traffic to logmein.com domains looks completely normal to firewalls., The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware, remoteexecution-runner-api.services.gotoresolve.com • appleremotesupport.com •, firebaseremoteconfig.googleapis.com • remoteexecution-runner-api.services.gotoresolve.com, remotelyanywhere.com •,http://watchhers.net/index.php • firebaseremoteconfig.googleapis.com, appleremotesupport.com • remotelyanywhere.com, Immediate Recommendations: Disconnect all routers and isolate the network., Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices., Change all credentials from a separate, clean network., If possible: Move to Switzerland
subdomains count
44

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 12 days ago · Last seen 8 days ago
Appeared in 4 threat reports