IOC Radar
DomainHighVerifiedSignal 100/100

docs.tw

Location
Hong KongHong Kong
First Seen
Aug 21, 2022
Last Seen
Dec 4, 2025
Aug 21
First Seen
1405d ago
Dec 4
Last Seen
204d ago
6
Reports
source reports
99%
Confidence
high
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

221 techniques

Feed Intelligence Summary

6 reports99% confidence
6
Source reports
99%
Confidence score
Category tags
.cc domain.milaaaaaacrabuseacademic institutionsacceptaccept encodingaccess controlaccount compromiseaccount discoveryaccount profilingaccount securityaccount takeoveracintaclsactive relatedactive scanningadam leeadaptivebeeadded activeaddressaddress asaddress rangeadloadadministrative accessadobeaadvanced persistent threatadwareadwindaerospace & defenseafricaafrica flagagentagent teslaahmannai generatedakamaialertsalex karpalexaalexa topalfreyalienvault_ransomwareall ipv4all octoseekall scoreblueall searchallocation typeamazonamazon awsamazon s3amazons3 tlsamericaamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002analysis tipanalyzeanalyzer pasteanalyzer threatanonsanonsecbotnetapex domainapi blogapi sampleapnicapnic whoisappearance codeappleapple engineeringapple hackingapple iosapple phoneapple privateapple unlockerapplication developmentaptapt 1apt grouparc fileartemisascii textasiaasia pacificasnone germanyasnone unitedassociated urlsasyncratatrosattackattorneyaustraliaauthentication brute forceauthentihashauthor avatarauthorityautoitautorunav detectionav detectionsavast avgazorultazure rsab documentb scriptb stylesheetbabarbabylonbackbackdoorbad requestbad trafficbank securitybankerbankerxbazaloaderbeach researchbehavbeijing gubetabotbinary filebinderbingbitratblack bastablack-bastablacklist httpblacklist httpsblacknet ratblisterblockerbluenoroffblvdbobby fischerbodybody doctypebody htmlbody lengthbombbot networksbotnetbotnet activitybotnet commandbotnetworkbrianbrian sabeybrochure urlbrontokbrowse tobrute forcebundledbusiness smallbuttonbypassc2c2 raccoonca creationcabinet archivecache entrycamerascamscanada flagcanada hostnamecanada unknowncapturecat ozerosslcatalog treecdncdn amazoncentura healthcertificate analysiscfqirgdhj5 httpcfqirgdhj5 urlcgb stgreaterchaoscheckincheckschina cobaltchina telecomchina unknownchopperchristopher p. ahmannchromecidrcins activecisco devicecisco umbrellacitycity sancivilcivil servicescivilian targetingcjutxgck idck matrixck techniqueck techniquescl0pcl0p ransomwareclasscleanerclick-based attackclosecloud computingcloud migrationcloud securitycloud servicescloud storagecloudfrontcloudfront xcnamecnccnc activitycnc servercngo daddycni safecnmicrosoft ecccnniccnzerossl eccco phancobaltcobalt strikecode executioncode injectioncoinbasecartelcoinminercollections wowcolognecolorado jobscolorscolumncom cntcom laudecommandcommand and controlcommand executioncommentcommunication protocolcommunication technologiescomodo cacompany limitedcompromised routercompromised sitecompromised_site_redirector_fromcharcodeconduitcontactcontacted hostscontacted urlscontent typecontrol servercontrol ta0011cookiecopy md5copy sha1copy sha256corecorpcorporate lawcorporationcouncilcount blacklistcountrycovacova cryptbotcovid19cph50 c2cps httpscre pulcreation datecreation_of_an_executable_by_an_executablecredential accesscredential harvestingcredential stuffingcredential theftcrimecritical riskcrlf linecrowdsourced informationcrypcryptbotcryptocurrency threatscryptojackingcsc corporatecsv behaviorcsv testcti98current dnscus starizonacus subjectcutwailcvecyber crimecyber stalkingcyber threatcyberstalking techniquescyberthreatczech republicczechia unknowndagadangerdapatodarkdark powerdark webdatadata accessdata breachdata breach attemptdata centerdata collectiondata copyingdata encryptiondata exfiltrationdata exfiltration indicatorsdata oc0004data recoverydata transferdata udata uploaddaumdbatloaderdcratddosddos attacksde indicatorsdeepscandefault browserdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefense-evasiondeletedelete cdelivery statusdelphidem findemodenial of servicedepartment of defensedetail domaindetailsdetection listdetections filedetections typedevelopment attdevelopment methodologiesdevice managementdevopsdga domainsdigicert globaldigital culturedigital pressdigital signaturedirectdiscorddisinformation campaigndisk wipingdistributed attacksdiv divdll windowsdllsdnsdnspionagednssecdockdocs pricingdoddomainpath namedomains topdotnetdownerdownldrdownload csvdownloaderdridexdrivedrive drivedriver prodropdrop ordroppeddropped filesdropperduckdnsdynamicdynamic loadingdynamic_contentdynamicloadereb e1ebeeeec oidecc domainedgeeducational resourceseducational serviceseducational technologyee emeee fceeeeeeeee eeeeeeeeeeeeeeeeefee eeefeeeheeeeeo publicelectronic health recordselon muskelseemailsembarcadero delphiemotetempencpkencryptencryptionengine dllengineeringenglishenricenterenter scenter sourceenterprise networkingenterprise securityentity amazon4entriesentries httpenumerationepik llcerika leeermacerrorerror httpset infoet policyet toretag weulaeuropeeva lisaeva reimerevasionevasion ta0005excelexchange metaexclude suggesexcluded icexe uploadexfiltrationexif standardexitexpirationexpiration dateexpiredexploitexploitationextortionextr includeextraextra dataextracted filesextri dataf0 fffacebook linkfactoryfailedfailed_code_integrity_checksfailurefaithfakedout threatfalcon sandboxfamilyfareitfastlyfeeds iocfemme fatalesfeodoff bbff d5fihafilefileless malwarefilerepmalwarefilesfiles domainfiles ipfiles locationfiles matchingfiles relatedfiles showfiling urlfinal urlfinancefinancial institutionfinancial servicesfindfind sfind suggestedfind sugifingerprintingfireeyefireholfirehol proxyfirmware infectionfirmware modificationfirstfirst pqcflagflag unitedfloxiffollowfollow bot activityfor privacyformformatformbook cncfoundfoundryframe b830fraudfri junfri octfrom win32biosftp brute forcefueryfusioncoreg2 tlsg2 validitygandi sasgat objectgc abusegeckogeneral fullgeneratorgenericgeneric httpgeneric malwaregenpackgermanygesponsert urlget h2get httpget httpsget naghost ratgithubgithub httpsgmbh versiongmt0600googl2googlegoogle drivegoogle llcgoogle safegoogle taggoogle updategootloadergophergov intgov porngovernment relationsgovernment technologygraphgraph communitygraph summarygse compromisedgti9158guardguest systemgzip chromeh1 centerhackerhackershall renderhallrender.com/attorney/brian-sabeyhandlehangover_appinbothashhasheshawkeyehead titleheadersheaders datehealth care and social assistancehealth information technologyhealthcare information systemshelixhelvetica neuehelvetica segoeheodoheurhgnvastlaizhidden privacyhide sampleshighhigh defensehigher educationhighly targetedhighwinds3hilotihistorical sslho chihoney pothoney trapshong konghospital managementhosthostinghostmaster namehostname addhostname enumerationhrefhsbchtmlhtml documenthtml infohtml internethttp attackhttp attackerhttp responsehttp scannerhttp spammerhttpshttps httphybridhyundaiiamroberticann whoisice fogicloudicmpicmp trafficids detectionsiframeiframe functioniframe tagsii llcillegalimageimpact ta0040includeinclude reviewincluded i0india unknownindicatorindonesiaindustry and commerceinfo apiinformation gatheringinformation stealinginformation technologyinfrastructure acquisitionreconnaissanceinfrastructure scanninginfyingress tool transferinitial accessinjectinjectorinnova coinputinput validation bypassintelintellectual property lawinternet domaininternet of thingsinvalid pointerinvalid urlinvestigacin yiobitiociocsiosios malwareiot botnetiot/ics attackipasns ipipnnoysrdi triptvipv4ipv4 addipv4 internetirataireland flagireland unknownisrael israelit infrastructureitaly unknownja3sjavajavascript srcjeffrey reimerjfifjimburkedentistryjpeg imagejsl objectjson ipjul jank-12 educationkelihoskey algorithmkey identifierkey infokeygenkeyloggerkgs0khtmlkillavkls0known infection sourceknown torkns dropperkontaktkoreakorpluglabellaplasclipperlauncherlaw practicelazaruslazarus grouplearnlearn xmllegacylegal abuselegal consultinglegal researchlegal serviceslegal technologylehashless whoislevellevel3lg2enlifelimeratlimitedlimited stlinelinklink initiallink urllinkedin linklinks apexlinuxlinux malwarelisten livelocallockbitloginlogin attacklolkeklooklookupslos angeleslovgatelow risklowfilsmeta functionltd dbaltda melummalumma stealerm. brian sabeymacmacros sneakymagic pe32mail spammermainmakopmalicious activitymalicious downloadmalicious hostmalicious imagemalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious url repositorymalicious urlsmaltiverse safemalvertizingmalwaremalware distributionmalware genericmalware indicatorsmalware repositorymalware scriptingmalware signingmalware sitemalware spreadermariomarkmarkmonitormarkmonitor incmarkusmass surveillancematch infomatsnumbtmci verizon blockmediamedia centermedia defensemedia sharingmedical device securitymedical servicesmediummemscanmerits fakemetadata analysismetasploitmetastealermeterpretermetrometro hackermexicanmexicomichelin lazy kmilitary operationsmillionminermineral processingminh cityminimal headersminingmining equipmentmining operationsmining sustainabilitymining technologymirai botnetmisc attackmitre attmitre attackmobilemobile carriersmobile malwaremobile networksmobile securitymobility crmodule loadmon junmonitored targetmonitoringmovedmozillams defendermsiemsilmulti-cloud managementmultiple botnetworksmuscatmusicn bethsedanamename cloudflarename datename redactedname servername serversname tacticsname valuename verdictnamecheap incnamed pipenanjingnanocore ratnanocore rat infectionnational securitync000000 upnetaceanetherlandsnetskynetwirenetworknetwork infrastructurenetwork intrusion attemptnetwork namenetwork probingnetwork ratnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork trafficnetwork traffic analysisnetwork_icmpnetwormnextnext associatednext penhs trustsnid valuenimdanircmdnjratno datano expirationno such agencynode tcpnode udpnoname057north americanotepadnreumnsa domainnsa domain spoofingnsisnso groupntlm authenticationnumbernymaimob0007 impactob0012 fileobjectobserved getobz4usfn0 httpobz4usfn0 urloc0006 httpoccamyoceaniaodigicert incoffice openoilok serverollydbg ollydbgomicrosoft comicrosoft cusonline frionline satonline sunonlvopenopen threatopenurl coperating systemoperating system securityopinionoptimizer proor droporg cloudflareorg dataorgabusehandleorgabusephoneorgidos2 executableosintotx octoseekotx scorebluepagepage urlparent parentpassive dnspassive dns analysispasswordpastepatch managementpatcherpath traversalpatient carepattern matchpayment securitypayment system attackpaypalpcappdfpdf dealerpdf reportpe injectionpe resourcepegasuspegasus projectpeter theilpexeephishphishingphishing attackphishing chasephishing emlphishing intelligencephishing sitepho exploitpinnacol insuranceplay ransomwarepleasepng imagepolandpoland asnpoland unknownpolicepolicyponyporkbun llcpornpornhubportpostpost httpspostal codepotential codepotential data breachpowershell_create_scheduledpragmapraguepraiopredatorpremiumpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprice listprimary requestprinkprivacy adminprivacy cityprivacy countryprivacy techprivacy violationprivilege escalationprlaprobeproblemprocess detailsprocess injectionprocess oc0003process32nextwprocess_martianproduct developmentprojectprotectprotocol exploitationprotocol h2protocol t1071province hcmproxyprscpsexecpsychological manipulationpublic administrationpublic infrastructurepublic policypulse otxpulse pulsespulse submitpulsespulses otxpulses urlpushputtypwspykspapythonpython_initiated-connectionqakbotqbotqpyrn6pd httpquality assurancequantum roomsquasarquasar ratquasiquasi governmentraccoonramnitramsomransomransomexxransomwareransomware leakratrc7 bypassedread creadsreconnaissancerecord valueredacted forredirectorredlineredline stealerredline stealer infectionredlinestealerredpacket securityredpacketsecurityrefreshregexpandsz dregszregulatory agenciesregulatory compliancereimer dptreimer suspectrelated nidsrelated pulsesrelated tagsrelicremcos trojanremoteremote accessremote access trojanremote attackerremote servicesrenderreportreport spamrequestrequest blockedresearchedresolved ipsresolver domainresource extractionresource hijackingresource pathresources whoisresponse coderestartresults augresults febresults junresults novrevenge ratreverse dnsreview excludereview iocrgbarich contentrirsrmsrobloxrole titlerootsroundrsa sha256rsdsq jfurunning serverruntime processsabey typesafe sitesalitysam somaliasample analysissamplessaudi arabiasawyerscamscan endpointsscanning activityscanning hostscans recordscore integratescript scriptscript tagsscript urlsscripting attacksse bethsedase httpssearchsearch enginesearch livesecrisksectionsecurity operationssecurity policysecurity tlsseiko epsonselect fileselfseraphserver caserver nginxserver responseserversserviceservice bsservice enumerationservice toolserving ipsetup sha256setup stubseverity attsfqh4dt74w0 urlsharedshellshowshow processshow techniqueshowingsiemsigned filesilence malwaresimdasimplesitesite casite safesite topsizeskynetslcc2smallsmart assemblysmssms exploitsmsspysoarsocial engineeringsocial media attacksocial media manipulationsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware integritysoftware testingsoftware vulnerabilitiessolimbasouth africaspammerspanspan tdspawnsspyspycamspyrixkeyloggerssdeepssh attackssidssl certificatestalkerstarfieldstatestate-promovedstate-sponsoredstatesstatusstatus codestealersteamstncphpphp morestorage companystrategystreetstrikestrike cobaltstringsstrongstudystwa lredmondsub domainsubject publicsubmit urlsuck my nipssucur2sucurisucuri securitysucuri websitesuggessummarysummary iocssurveillance technologyswedenswrortsystemsystem disruptionsystem oc0001t-mobile hackert1003t1003.001t1003.004t1004t1005t1012t1016t1018t1020t1021t1021.001t1021.006t1023t1027t1027.013 encrypted/encodedt1030t1031t1036t1036.004t1036.005t1037t1037.003t1039t1040t1041t1045t1046t1048t1053t1055t1055 jsevalt1056t1056.003t1057t1059t1059.001t1059.003t1059.007t1060t1062t1063t1064t1068t1069t1069.001t1069.002t1070t1071t1071.001t1071.004t1076t1078t1081t1082t1084t1086t1087t1088t1089t1090t1091t1098t1102t1105t1106t1110t1110.001t1110.002t1112t1113t1114t1119t1125t1129t1130t1132t1133t1140t1143t1147t1155t1156t1158t1176t1180t1185t1187t1189t1190t1192t1193t1194t1199t1203t1204t1204.001t1204.002t1204.003t1205t1210t1211t1212t1480t1480 executiont1485t1486t1490t1491t1491.001t1495t1496t1497t1499t1499.001t1499.002t1499.003t1505t1518t1528t1529t1530t1534t1539t1543t1546t1552t1553t1553.002t1553.003t1554.001t1554.003t1555t1556t1557t1561t1562t1562.001t1562.004t1562.008t1563t1564t1564.001t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.002t1568t1568.002t1569t1569.002t1571t1573t1573 severityt1574t1578t1580t1583t1583.001t1583.005t1583.006t1584t1585t1586t1587t1587.001t1587.003t1588t1588.002t1589t1589.001t1589.002t1590t1590 gathert1590.001t1591t1592t1592.004t1593t1594t1595t1595.001t1595.002t1595.003t1596t1596.001t1596.004t1597t1598t1598.003t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666ta0004 defenseta0009 commandtag counttag managertagstags nonetags twittertags viewporttaiwan unknowntamtargeted spyware campaigntargeted-attacksteamteam alexateam malwareteam memscanteam proxyteamsteams apitelecom italiatelecom servicestelecommunicationstelnet threattemptempletencenttexttext dragtext edgetext iocstext iptext query16752tgt sessionthen brothers sabeythisthreatthreat actorthreat analyzerthreat intelligencethreat networkthreat preventionthreat reportthreat roundupthreats etthreats httpstiff imagetiggretime stampingtitletitle addedtitle errortitle headtitle hometld counttlstls handshaketls issuingtlsv1tofseetoolstop destinationtop sourcetortor analysistor exittor knowntor relayroutertorrent treckertot publictownsend sttrackers googletraffictreecetrid windowstrojan malwaretrojanagenttrojandroppertrojanspytrojanxtrue pragmatry drivetsaratsara brashearstucowstucows domainstulachturlatwittertypetype datatype mimetypetype nametype opastetype pdftzw variantsubotui arialuk governmentukraineumbrella rankunauthorizedunauthorized access attemptunicodeunicode textunionuniqueunique tldunitedunited statesunknown cnameunknown nsunknown soaunruyunsafeupdate checkerupdate secureupdaterurlsurls httpurls httpsurls serverurls showurls urlursnifus creationus summaryuser agentuser executionutc amazonutc googleutc submissionsutf8 textutf8 unicodeuztubyv3 serialvalid signature. revoked.valuevalue statusvaryvawtrakvenom ratververdanaverdictverifyvhashvidarvideovietnamviewvirlockvirtoolvirus networkvirustotal apivirutvitzovt graphw jeffersonwacatacwannacry attackwannacry killwarningwdigestweb application exploitationweb exploitationweb securityweb trafficwebshellwelcomewest domainswhoiswhois databasewhois informationwhois lookupwhois parentwhois recordwhois registrarwhois serverwhois sslwhois statuswhois whoiswife happywifi passwordwillwin32 dllwin32 exewin32 malwarewin32.pdf.alienwin32qqpass decwin32upatre decwin32upatre junwindirwindowwindows malwarewindows modulewindows nativewindows ntwiperwmsspacer.gifwormwormxwp enginewritewrite cx cachex poweredx sucurix00x00nxcnfexml documentxportxratxserverxtraxtraty.a.s.yarayara detectionsyara ruleyouthzbotzero click exploitzero-day exploitzeuszpevdo

Activity Timeline

1 total obs
Dec 4Dec 4

Threat Activity Heatmap

· Peak: 2025-12-04
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
6
Reports
First seenAug 21, 2022
Last seenDec 4, 2025
Verified IOC

VirusTotal

Not checked

WHOIS

description
Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
domain rank
-1
raw
Domain Name: docs.tw Domain Status: clientTransferProhibited Registrant: 3432650ec337c945 Registrar Abuse Contact Email: [email protected] Registration Service URL: http://myname.pchome.com.tw elsa.ns.cloudflare.com henry.ns.cloudflare.com
subdomains count
11

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 3 years ago · Last seen 6 months ago
Appeared in 6 threat reports