IOC Radar
DomainHighVerifiedSignal 26/100

df1w.ink.dns-dynamic.net

Location
United KingdomUnited Kingdom
First Seen
Jul 8, 2025
Last Seen
Apr 11, 2026
Jul 8
First Seen
339d ago
Apr 11
Last Seen
63d ago
4
Reports
source reports
26%
Confidence
high
Found in 4 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
26%
Signal Score
26 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

157 techniques

Feed Intelligence Summary

4 reports26% confidence
4
Source reports
26%
Confidence score
Category tags
aaaaabuseaccess ta0006account securityactive relatedactive scanaddressadvanced persistent threatalertsam sizeanalysis dateandarielandariel highappleaptapt groupascii textat filerauurtonany dataav detectionsb0047 modifybad reputationbingbodybotnetbotnet activitybrute forcec2 communicationcheckincheckscivilcivil servicescivilian targetingck idclick-based attackcnamazon rsacode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication technologiescompromised routercontrol ta0011copy md5copy sha1copy sha256countrycredential harvestingcredential stuffingd-link exploitdata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondefense-evasiondelete cdevices homediscovery attdistributed attacksdnsdns attackdom domdom domanecaccelectronic health recordsencryptencryptionenterenter scenterprise securityentriesentries tlserroreuropeevasion attexcludeexcluded ioexcluded tousexecutable fileexecution flowexploitexploitation activityextra dataextraction dataextri pleasef0012 filefailedfilesfindfind sfind suggestedfirmware infectionfirmware modificationfoundfoundrygovernment technologyhealth care and social assistancehealth information technologyhealthcare information systemshidden fileshighhome networkshospital managementhttp attackhttp headershybridicmp trafficid deadhostidentity & access exploitationids detectionsimpact ob0008impact ta0040include datainclude reviewincluded iocsindicaok dataindicatorinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelinternet of thingsiociocsiosios malwareiot botnetiot securityiot/ics attackit infrastructurejapan unknownkeyslazarus grouplearnlinklinuxlinux malwarelocallooklowfimacmalicious linksmalicious softwaremalwaremalware trafficmanually addmass surveillancematch infomatch unknownmd5medical servicesmediummirai botnetmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobile threatmodify systemmonitored targetmore filemsiename tacticsnation-state activitynetworknextnext associatednidsnorth americansiso pleaseo suggesteooamazonob0009 installob0012 installodigicert incoperating systemoperating system securitypassive dnspatch managementpath traversalpatient carepattern matchpdfpdf reportpegasuspegasus projectphishingphishing attackpleasepolicepornpresent julprocess injectionprocess t1543puapublic administrationpublic infrastructurepublic policypulse pulsespulsespulses hostnamepushransomransomwarerefreshregistry e1112registry modificationregistry runregulatory agenciesrelated pulsesrelated tagsremote servicesresearchedresolverrorrestartreview datareview uussearchserversserving ipshowshowingsizesmssms exploitsocial engineeringsoftware developmentsoftware exploitationsoftware vulnerabilitiesspanspawnsstartup folderstatestate-promovedstate-sponsoredstatusstatus domainstringssu datasystem oc0008t1003t1003.001t1003.004t1004t1005t1010t1016t1018t1020t1021t1021.001t1021.006t1027t1030t1036t1037t1037.003t1041t1053t1055t1056t1057t1059t1059.007t1060t1062t1064t1068t1069.001t1070t1071t1071.001t1071.004t1076t1078t1082t1083t1084t1087t1105t1110t1112t1113t1125t1129t1130t1133t1134t1156t1185t1187t1189t1190t1192t1193t1199t1202t1203t1204t1204.001t1204.002t1205t1210t1211t1212t1480t1480 executiont1485t1486t1490t1491t1495t1496t1497t1499.002t1499.003t1505t1529t1530t1539t1543t1546t1547t1552t1553t1553.003t1555t1556t1557t1562t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1569t1571t1573t1574t1574 dllt1578t1580t1583t1584t1585t1586t1587t1587.001t1587.003t1588t1589t1590t1590.001t1591t1592t1593t1594t1595t1596t1596.001t1596.004t1597t1598t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666tagstargeted spyware campaigntargeted-attackstargetstcp includetelecom servicestelecommunicationsthemidathemida andariethreat actortitle addedtoolstop destinationtop sourcetor nodetriestrojan malwaretrojandroppertui suggestypetypesu excludeunitedunited kingdomunited statesunknown cnameunknown nsurlsurls showuser executionverifyvirustotal apivulnerability scanweb application attackweb application exploitationweb exploitationweb securitywget commandwin32 exewin32 malwarewindo alertswindowwindows malwarewindows ntwormwriteyarayara detectionsyara matchzero click exploitzero-day exploit

Activity Timeline

1 total obs
Apr 11Apr 11

Threat Activity Heatmap

· Peak: 2026-04-11
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
26
SIGNAL
Signal Score
26%
Confidence
4
Reports
First seenJul 8, 2025
Last seenApr 11, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

registrar
PDR Ltd. d/b/a PublicDomainRegistry.com
description
Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
raw
Admin City: GDPR Masked Admin Country: GDPR Masked Admin Email: [email protected] Admin Organization: GDPR Masked Admin Postal Code: GDPR Masked Admin State/Province: GDPR Masked Creation Date: 2024-02-21T07:31:04Z DNSSEC: Unsigned DNSSEC: unsigned Domain Name: DNS-DYNAMIC.NET Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS51.CLOUDNS.NET Name Server: NS52.CLOUDNS.NET Name Server: NS53.CLOUDNS.NET Name Server: NS54.CLOUDNS.NET Name Server: ns51.cloudns.net Name Server: ns52.cloudns.net Name Server: ns53.cloudns.net Name Server: ns54.cloudns.net Registrant City: 7bc26f5a5e70d417 Registrant Country: BG Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 7bc26f5a5e70d417 Registrant Name: 7bc26f5a5e70d417 Registrant Organization: 7bc26f5a5e70d417 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 7bc26f5a5e70d417 Registrant Postal Code: 7bc26f5a5e70d417 Registrant State/Province: da2b7c2fc3244410 Registrant Street: 7bc26f5a5e70d417 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2013775952 Registrar IANA ID: 303 Registrar Registration Expiration Date: 2027-02-21T07:31:04Z Registrar URL: http://www.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Registrar WHOIS Server: whois.PublicDomainRegistry.com Registrar WHOIS Server: whois.publicdomainregistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registry Admin ID: GDPR Masked Registry Domain ID: 2857152332_DOMAIN_NET-VRSN Registry Expiry Date: 2027-02-21T07:31:04Z Registry Registrant ID: GDPR Masked Registry Tech ID: GDPR Masked Tech City: GDPR Masked Tech Country: GDPR Masked Tech Email: [email protected] Tech Organization: GDPR Masked Tech Postal Code: GDPR Masked Tech State/Province: GDPR Masked Updated Date: 2024-03-07T16:28:03Z Updated Date: 2024-04-22T00:08:37Z

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 11 months ago · Last seen 2 months ago
Appeared in 4 threat reports