IOC Radar
DomainMediumSignal 74/100

ctwo.msoftupdates.com

Location
TurkeyTurkey
First Seen
Jun 5, 2020
Last Seen
May 21, 2026
Jun 5
First Seen
2211d ago
May 21
Last Seen
35d ago
10
Reports
source reports
74%
Confidence
medium
Found in 10 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
74%
Signal Score
74 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

67 techniques

Feed Intelligence Summary

10 reports74% confidence
10
Source reports
74%
Confidence score
Category tags
abuseacceptaccept encodingactive scanactive scanningaddress googleage86400 setalertsalienanalysis dateanti-vmantivmapanasapostleaptapt grouparabic libyaarkeistealerarrowratassociated urlsasyncratauthentihashav detectionsavast softwarebabarbabylon ratbackdoorbad reputationbaldrbanditbandit stealerbankerbanking trojanbanloadbannedbazarloaderbeastybelarusbitcoinbitsblackbyteblankgrabberblockchainbodybokbotbotnetbotnet activityboxcaonbrbbotbrute forcebuteratbypassc2c2 infrastructurecache controlcache statuscertchaoschatcheckinchecks idchilelockercicada3301clippercobaltstrikecode executioncode injectioncode integritycodeccomfoocommand & controlcommand and controlcommand executioncommodity contracts intermediationconfigconnections idcookiecorecorebotcrc32creation datecreation idcredential accesscredential harvestingcredential stealingcredential stuffingcredential theftcrimsonratcrypcryptcryptedcrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcryptolockercyber threatscyrusdarkcometdarkeyedarkgatedarkskydarktrackdarkvncdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata theftdata transferdavid burkettdcratddosdearcrydecentralized financedecryptordelfidelphidemodesktopdetectsdetects codedigital currencydiscorddistributed attacksdns attackdomains showdonedownloaderdrop ordropperducktaildynamicloaderelysiumstealerencryptencryptionenter sourceentriesentries httperroreuropeexecutable fileexpirationexploitation activityextortionextractfastfatalratfatdukefilesfilter fpfinancefinancial crimefinancial servicesfirstfivehandsflagprofor privacyfpspyfurygasketgeckogh0stglobeimpostergobratgoldmaxgoogle safegrabgrabbergravityratguildmaheader http2hellohelpmehighhomenethostname enumerationhstrhttp attackhuntico rtgroupiconidentity & access exploitationids detectionsiframeimphaszimportindicatorindicators of compromiseinfoinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectinjection activityinjectorinput validation bypassiocsipv4it infrastructurejanelaratk netsvcskarkoffkeylogkeyloggerkhtmlkillkillmbrkillmekittyklingonratklogexekoivmkrakenkutakilazaruslcpdotleivionlibyalicense v2linklockerloggerlokilowfilu0botmacoutemainmalicious activitymalicious linksmalicious powershell activitymalicious softwaremalwaremalware familymanualmarkmarkiratmassloggermaurigomediapimediummeltmetadata analysismkdirmobilemobile securitymodi ratmodiloadermovedmsiemyagentname serversneshtanetworknetwork communicationnetwork probingnetwork scanningnetwork trafficnew servicenew service creationnext associatednextronnjratno expirationnoclosentospynumer wersjiooopsoperating systemordinalosnooutbound smtpowowaparallaxratpasspassive dnspatchpath maxpath traversalpayload deliverypersistence mechanismphishingphishing attackpiratestealerpoolratposhkeyloggerpresent decpresent janpresent junpresent marpresent novprocess idprocess injectionprometheuspulse pulsesquiteratraccoonransomransomwareratreconreconnaissancerecord valueremote accessremote access trojanremote servicesrentsresearchedresource hijackingresponse iprestrestartresults augresults febrevengeratreverseratrhysidarootjobrothrozmiarrticon serbianrunnerryzerlosafe browsingsandboxsandbox authorsandbox evasionsapphirestealerscans showscreencapturescript domainsscript urlsscripting attackssearchsectopratsecurity operationsserbian arabicserver responseserviceservice binaryshifushowshowingshurk stealshutsilentslackbotslowsmtpsnakesnakekeyloggersocial engineeringsocial media securitysoftware developmentspanspookspoolssspyeyespynetssd gbokissdeepstarfieldstealerstealeriumstormkittystreamstrelastealerstrongpitystubsvchostsvchost parentsystemsystem disruptionsystembct1003t1005t1016t1016.001t1016.002t1021t1021.001t1027t1030t1041t1045t1048t1053t1055t1056t1057t1059t1059.001t1059.003t1060t1064t1068t1069.001t1071t1071.001t1071.002t1071.004t1078t1082t1083t1086t1105t1113t1124t1133t1189t1190t1204t1204.001t1204.002t1486t1490t1496t1499.001t1499.002t1499.003t1543t1547t1547.001t1555t1562t1565t1566t1566.001t1566.002t1566.003t1573t1573.001t1573.002t1574t1587.001t1588t1589.001t1590.001t1595.001t1595.002t1595.003targettext dragthomas patzkethreat actorthreat intelligencetitletofseetofsee trojan infectiontomiristoolstor nodetorismatrojan malwaretrojandroppertrojanspytruebotturianturkeytyp plikuunitedunknown nsvanillaratvenom ratvenomratvhashvirtoolvoidcryptvulturiweb application attackweb application exploitationweb securitywersjawin32 malwarewin32qqpass sepwindigowindows malwarewindows ntwindows upgradewindows wgetwiperwitchwritewrite cx00x00xorddosyara detectionsyara rulezegostzenedge

Activity Timeline

1 total obs
May 21May 21

Threat Activity Heatmap

· Peak: 2026-05-21
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain ctwo.msoftupdates.com has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats, including botnets, command and control (C

Threat ScoreHigh Risk
74
SIGNAL
Signal Score
74%
Confidence
10
Reports
First seenJun 5, 2020
Last seenMay 21, 2026

VirusTotal

Not checked

WHOIS

registrar
GoDaddy.com, LLC
description
SHA1- 33008f85428a83996083c3da92a8f00595071403 SHA256 cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4 https://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287 https://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations
raw
Creation Date: 2022-09-02T20:26:45Z DNSSEC: unsigned Domain Name: MSOFTUPDATES.COM Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.BODIS.COM Name Server: NS2.BODIS.COM Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: 480-624-2505 Registrar IANA ID: 146 Registrar URL: http://www.godaddy.com Registrar WHOIS Server: whois.godaddy.com Registrar: GoDaddy.com, LLC Registry Domain ID: 2722814411_DOMAIN_COM-VRSN Registry Expiry Date: 2023-09-02T20:26:45Z Updated Date: 2022-09-02T20:57:16Z

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 6 years ago · Last seen 1 month ago
Appeared in 10 threat reports