IOC Radar
DomainMediumSignal 85/100

brackusi0n.live

Location
EstoniaEstonia
First Seen
Feb 5, 2026
Last Seen
Jun 20, 2026
Feb 5
First Seen
139d ago
Jun 20
Last Seen
4d ago
12
Reports
source reports
85%
Confidence
medium
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
85%
Signal Score
85 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

42 techniques

Feed Intelligence Summary

12 reports85% confidence
12
Source reports
85%
Confidence score
Category tags
a serviceabcdabuseacceptaccessaccountacidrainactive scanactive scanningad environmentad groupadfindadministratoraerospace & defenseaes keyafghanistanafricaagentahnlabai securityairlineaitbalbaniaalbanianalexalienvault_ransomwarealiveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbaidubankbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcommunication technologiescommunications networkscompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcredit card servicescritical infrastructurecrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustom loadercustomerloadercvsscybercyber espionagecyber espionage campaigncyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcyberespionage campaigncybersecurity architectcyclopsdailydark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefraydefray777delphidemodenis legezodesktopdetectdexterdfdownloaderdfir reportdfir teamdiaoyu loaderdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedkmcdkmc frameworkdknifedll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemergency servicesemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenergy distributionenergy systemsenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitationexploitation activityexploits & vulnerabilitiesexport functionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfin7finalfinancefinance and insurancefinancial servicesfinancial systemsfinancial technologyfindfinspyfireeyefirstfirst detectionfishmasterfivehandsfleet managementflexfooterfoozerforceforeign affairsformformatfortunefreight servicesfrom karakurtfrontfrpfunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobalglobal cyberespionage campaignglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergostgotrojgovernment facilitiesgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinstallintelintelligence gatheringintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4ipv6240eiso fileiso filesystemiso imageissuer cusissuer orgitaliaitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickoreankportscankronoslaterlateral movementlatinlazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux ebpf rootkitlinux systemlnk filelnklnklnklnkloaderloader malwarelocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremaritime transportmarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmilitary operationsmindminermitre attmobile carriersmobile networksmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynational securitynativezonenbtscannebulaneitherneo-regeorgneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork forensicsnetwork probingnevernewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceanlotusoffensivenimoil & gasoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopanamapandapartpasspassenger transportationpatchpathpawn stormpayloadpayloadbinpayment processingpcappdf documentpe headerphasephishingphishing attackphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpoliceponypoortryportpos softwareposhc2postpost bodypost methodpost-exploitation frameworkpotential scanpowerpower generationpower systemspowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitraasradarradminragnarlockerrail transportraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionrctea botnetreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote access toolremote access trojanremoverenamerenewable energyreportreportsrequestresearchresearchedreturn addressrevilrevilcontiritarobinhoodrollcoastrootrootkitrozenarubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptseadukeseatbeltsecurexsecurity groupssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksingaporesizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspearphishingspeedsphwspidersprite spiderspyeyesslblsta-1030stabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestate-sponsoredstdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystembcsyswhispers2szdrft1014t1018t1021.001t1021.002t1027t1046t1053t1055t1059t1059.001t1068t1071t1071.001t1078t1090t1090.003t1102t1105t1190t1195t1204t1204.001t1204.002t1486t1499.001t1505.003t1565t1566t1566.001t1566.002t1566.003t1569.002t1583.001t1583.003t1583.004t1584.001t1584.003t1584.004t1588.002t1595.001t1595.002t1595.003ta471ta551ta578ta800taiwantalostargettargeted attackstargetimagetask managertcp portteamteamt5teamt5 teamt5techtelecomtelecom servicestelecommunicationstemptencenttgr-sta-1030theftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertradetransferxl urltransferxl urlstransportation and warehousingtransportation infrastructuretransportation networkstransportation technologytravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unc6619unified accessunitunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevshellvulnerability scanwaf rulewater systemswdigestwealth managementweb application attackweblogic accesswebshellwherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
Jun 20Jun 20

Threat Activity Heatmap

· Peak: 2026-06-20
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
85
SIGNAL
Signal Score
85%
Confidence
12
Reports
First seenFeb 5, 2026
Last seenJun 20, 2026

VirusTotal

Not checked

WHOIS

registrar
Name.com, Inc.
domain rank
-1
raw
Admin City: Denver Admin Country: US Admin Organization: Domain Protection Services, Inc. Admin Postal Code: 80201 Admin State/Province: CO Creation Date: 2025-06-26T07:29:45Z DNSSEC: unSigned DNSSEC: unsigned Domain Name: BRACKUSI0N.LIVE Domain Name: brackusi0n.live Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited Name Server: ns1cny.name.com Name Server: ns2fgp.name.com Name Server: ns3fgh.name.com Name Server: ns4clq.name.com Registrant City: 7545cbbbc34dcb54 Registrant Country: US Registrant Email: 55ff021de8daad56s@ Registrant Fax: 9abdec4331ca5e22 Registrant Name: 1b8cf3baab8972aa Registrant Organization: cccc85dcc279c581 Registrant Phone: 4399b2e77c01640d Registrant Postal Code: a5466aaa575b5c98 Registrant State/Province: 5909b98f8d0e7f8a Registrant Street: 3356d3f1c1732560 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.7203101849 Registrar IANA ID: 625 Registrar Registration Expiration Date: 2026-06-26T07:29:45Z Registrar URL: http://www.name.com Registrar WHOIS Server: whois.name.com Registrar: Name.com, Inc. Registry Admin ID: Not Available From Registry Registry Domain ID: 1b84718404e34bf9b7d5922231a3ecc0-DONUTS Registry Expiry Date: 2026-06-26T07:29:45Z Registry Registrant ID: Not Available From Registry Registry Tech ID: Not Available From Registry Tech City: Denver Tech Country: US Tech Organization: Domain Protection Services, Inc. Tech Postal Code: 80201 Tech State/Province: CO Updated Date: 2025-07-01T07:29:47Z
references
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage, IOCs.3.csv, https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 months ago · Last seen 4 days ago
Appeared in 12 threat reports