IOC Radar
DomainMediumSignal 48/100

darwin.github.wiki

Location
SlovakiaSlovakia
First Seen
May 4, 2022
Last Seen
May 1, 2026
May 4
First Seen
1507d ago
May 1
Last Seen
49d ago
4
Reports
source reports
48%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
48%
Signal Score
48 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

7 techniques

Feed Intelligence Summary

4 reports48% confidence
4
Source reports
48%
Confidence score
Category tags
a serviceabcdabuseacceptaccessaccountacidrainactive scanad environmentad groupadfindadministratoraes keyafghanistanafricaagentahnlabai securityaitbalbaniaalbanianalexalienvault_ransomwarealiveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbankbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachinachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250crowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvsscybercyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsczechiadark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata exfiltrationdata riskdatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense evasiondefraydefray777delphidemodenis legezodesktopdetectdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitation activityexport functionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfin7finalfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpfunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739georgiagermanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjectorinstallintelintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iran, islamic republic ofiso fileiso filesystemiso imageissuer cusissuer orgitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickorea, republic ofkoreankportscankronoslaterlatinlatvialazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork forensicsnevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopandapartpasspatchpathpawn stormpayloadpayloadbinpcappdf documentpe headerphasephishingphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpolandpoliceponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregwriterelatedtoremcomremcosratremoverenamereportreportsrequestresearchresearchedreturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarubeusrubyrun registryrussiarussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptseadukeseatbeltsecurexsecurity groupssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyesslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystembcsyswhispers2szdrft1055t1071.001t1486t1496t1499.002t1499.003t1565ta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp portteamteamt5teamt5 teamt5techtelecomtelecommunicationstemptencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertransferxl urltransferxl urlstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkeyturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunited statesunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevulnerability scanwaf rulewdigestweb application attackweblogic accesswebshellwherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
May 1May 1

Threat Activity Heatmap

· Peak: 2026-05-01
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **darwin.github.wiki** has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats, including botnets, command and control (C

Threat ScoreMedium Risk
48
SIGNAL
Signal Score
48%
Confidence
4
Reports
First seenMay 4, 2022
Last seenMay 1, 2026

VirusTotal

Not checked

WHOIS

description
In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 1 month ago
Appeared in 4 threat reports