DomainHighVerifiedSignal 100/100
esi.dz.boba26.dns-dynamic.net
Location
Taiwan, Province of ChinaFirst Seen
Mar 7, 2025
Last Seen
Jul 8, 2025
Found in 4 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
.cc domain.milaaaaabuseacademic institutionsacceptaccept encodingaccount compromiseaccount discoveryaccount profilingaccount securityaccount takeoveraclsactiveactive relatedactive scanningadded activeaddressaddress asaddress rangeadministrative accessadult content associationadvanced persistent threatafricaafrica flagahmannai generatedakamaialertsalex karpalfreyalienvault_ransomwareall ipv4allocation typeallyamazonamazon s3amazons3 tlsamericaamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002analysis tipanonsanonsecbotnetapex domainapnicapnic whoisappearance codeappleapplication developmentaptapt 1apt grouparc filearialascii textasiaasnoneassociated urlsatrosauthentication brute forceautorunav detectionsazure rsab documentb scriptb stylesheetbackdoorbad requestbad trafficbelgium belgiumbinary filebingblack bastablack-bastabodybody doctypeboobs130432 novbotnetbotnet activitybrian sabeybrkzmjibrowse tobrute forcebusiness smallbutt piratesc2cabinet archivecachecache controlcamerascamscapturecatalog treecdncdn amazoncertificate analysischeckschinachopperchristopher p. ahmannchromecidrcisco devicecisco umbrellacitycity sancivilcivil servicescivilian targetingcjutxgck idck matrixck techniqueclassclick-based attackclosecloud computingcloud migrationcloud securitycloud servicescloud storagecloudfrontcnamecnccnc activitycni safecnmicrosoft eccco phancode executioncode injectioncoinbasecartelcolognecommandcommand and controlcommand executioncommunication protocolcommunication technologiescomodo cacompany limitedcompromised credentialscompromised routercompromised sitecompromised_site_redirector_fromcharcodecontacted hostscontent typecontrolcontrol ta0011copy md5copy sha1copy sha256corecorporate lawcorporationcouncilcountrycovacova cryptbotcps httpscre pulcreation datecredential accesscredential harvestingcredential stuffingcredential theftcrlf linecrowdsourced informationcrypcryptbotcti98current dnscus subjectcvecyber crimecyberstalking techniquesczech republicdarkdark webdatadata accessdata breachdata breach attemptdata copyingdata encryptiondata exfiltrationdata exfiltration indicatorsdata oc0004data recoverydata transferdata udata uploadddosddos attacksdeaddeath threatsdefamation campaigndefense evasiondefense-evasiondeletedelete cdelphidemodenial of servicedenverdepartment of defensedetail domaindetailsdevelopment attdevelopment methodologiesdevice managementdevopsdgadigital culturedigital pressdigital signaturedirectdisinformation campaigndisk wipingdistributed attacksdiv divdll windowsdllsdnsdnssecdockdoddomainpath namedomains topdotnetdoxingdrivedrive drivedropdrop ordropperdynamicdynamic loadingdynamic_contentdynamicloadereb e1eb e8ebeeeedgeeducational resourceseducational serviceseducational technologyee emeee fceeeeeeeee eeeeeeeeeeeeeeeeefee eeefeeeheeeelectronic health recordselon muskelseemailsemotetemotet cnc activityempencryptencryptionengine dllenglishenricenterenter scenter sourceenterprise networkingenterprise securityentity amazon4entriesentries httpenumerationerrorerror httpset infoet policyetag weulaeuropeeva lisaeva reimerevasionevasion ta0005exchange metaexclude suggesexcluded icexe uploadexecutable downloadexecution attexfiltrationexpirationexpiration dateexpiroexploitexploitationextortionextr includeextraextracted filesextri dataf0 fffailedfailurefaithfake pinterestfalsefemme fatalesff bbff d5ff fffihafilefilehash-md5filehash-sha256fileless malwarefilesfiles domainfiles ipfiles locationfiles matchingfiles relatedfindfind sfind suggestedfind sugifingerprintingfireeyefirmware infectionfirmware modificationfirstfirst pqcflagflag unitedfollow bot activityfor privacyformatfoundfoundryframe b830ftp brute forcegat objectgather victimgay mangay porngaz1geckogenericgeneric httpgermanyget httpget httpsget nagithubgithub httpsgooglegoogle drivegoogle safegoogle taggov porngovernment technologygraph summarygriftergse compromisedguardhackershall renderhandlehangover_appinbothead microsofthead titlehealth care and social assistancehealth information technologyhealthcare information systemshelixhelvetica neuehelvetica segoehgnvastlaizhide sampleshighhigh defensehigher educationhired hit menhistorical sslho chihoney pothoney trapshong konghospital managementhostinghostmaster namehostname addhostname enumerationhrefhtmlhtml documenthtml internethttp attackhttp scannerhttpshttps httphybridhyundaiiamrobertibwavcmicmpicmp trafficids detectionsiframeiframe functioniframe tagsillegalillegal activity allegationsimageimpact ta0040includeinclude reviewincluded i0india unknownindicatorindonesiainfected deviceinformation gatheringinformation stealinginformation technologyinfrastructure acquisitionreconnaissanceinfrastructure scanningingress tool transferinitial accessinjectinput validation bypassintelintellectual property lawinternet of thingsinvalid pointerinvalid urlinvestigacin yiociocsiosios malwareiot botnetiot/ics attackipasns ipipnnoysrdi triptvipv4ipv4 addipv4 internetireland flagireland unknownisrael israelit infrastructureja3sjeffrey reimerjeffrey scottjsl objectk-12 educationkelihoskhtmlkill targetskns dropperkorealaw christopherlaw practicelazarus grouplearnlearn moreleftlegacylegal abuselegal consultinglegal researchlegal serviceslegal technologylehashlesslevellg2enlifelimitedlimited stlinklink initiallinks apexlinuxlinux malwarelocallockbitlogin attacklooklookupslow riskltda meluptdaizzlm. brian sabeymacmainmalicious downloadmalicious emailmalicious imagemalicious linksmalicious powershell activitymalicious softwaremalicious urlsmalwaremalware distributionmalware indicatorsmalware signingmarkmonitormarkmonitor incmarkusmass surveillancematch infomediamedia centermedia defensemedical device securitymedical servicesmediummelikamerits fakemetadata analysismexicanmexicomichelin lazy kmilehighmedia relatedminh cityminimal headersmirai botnetmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobility crmodule loadmonitored targetmontano markmovedmozillampressms defendermsiemsilmulti-cloud managementmuscatmusicnamename cloudflarename datename servername serversname tacticsnamed pipenanocore rat infectionnc000000 upnetaceanetherlandsnetworknetwork infrastructurenetwork intrusion attemptnetwork namenetwork probingnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork trafficnetwork traffic analysisnetwork_icmpnextnext associatednext penhs trustsnid valuenivdortnjratno expirationno such agencynone alertsnorth americansa domainnsa domain spoofingnso groupntlm authenticationnumberob0007 impactob0012 fileobserved getoc0006 httpodigicert incogoogle trustoilok serverollydbg ollydbgomicrosoft comicrosoft cusonlineonlvopen threatopenurl coperating systemoperating system securityopinionor droporg cloudflareosintpagepalantir doingpassive dnspassive dns analysispasswordpatch managementpath traversalpatient carepattern matchpdfpe injectionpegasuspegasus projectpersonal informationperupeter theilphishingphishing attackphishing attemptsphishing emlpho exploitpleasepng imagepolandpoland asnpoland based activitypoland unknownpolicepolicypornportpostpost httpspostal codepotential codepotential data breachpragmapraiopresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprimary requestprinkprivacy adminprivacy techprivacy violationprivilege escalationprlaproblemprocess detailsprocess injectionprocess oc0003process32nextwprocess_martianproduct developmentprogram gatewayprojectprotectprotocol exploitationprotocol t1071province hcmprscpsychological manipulationpublic administrationpublic infrastructurepublic policypulse otxpulse pulsespulse submitpulsespulses otxpulses urlpushpwsqchrkquality assurancequantum roomsquasiquasi governmentracismramsomransomransomwareransomware leakratread creadsreconnaissancerecord valueredacted forredlineredline stealerredline stealer infectionredpacket securityredpacketsecurityrefreshregszregulatory agenciesregulatory compliancereimer dptreimer suspectrelated nidsrelated pulsesrelated tagsremote accessremote access trojanremote servicesreport spamreputation damagerequestrequest blockedresearchedresolved ipsresolver domainresource pathresources whoisresponse coderestartresults febresults novreverse dnsreview excludereview iocrgbarich contentrightrirsrole titlersdsq jfurubyrunning serversabey typesam somaliasammiesample analysissaudi arabiascanning activityscans recordscott reimerscript scriptscript tagsscript urlsscripting attacksse httpssearchsearch enginesecond stage payloadsecurity operationsseiko epsonselect fileselfserver caserver nginxserver responseserversserviceservice enumerationserving ipseverity attsharedshowshow processshow techniqueshowingsigned filesilence malwaresimplesizeslcc2smart assemblysmssms exploitsocial engineeringsocial media attacksocial media manipulationsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware integritysoftware testingsoftware vulnerabilitiessouth africasouth americaspanspan tdspawnsspyspycamssh attackssidssl certificatestarfieldstatestate-promovedstate-sponsoredstatusstatus codestealerstncphpphp morestorage companystrategystreetstringsstrongstudystwa lredmondsub domainsuck my nipssuggessummarysurveillance technologyswedensweetheartvideo relatedsystemsystem disruptionsystem oc0001t1003t1003.001t1003.004t1004t1005t1012t1016t1018t1020t1021t1021.001t1021.006t1023t1027t1027.013 encrypted/encodedt1030t1031t1036t1036.004t1036.005t1037t1037.003t1039t1040t1041t1045t1046t1048t1053t1055t1055 jsevalt1056t1056.003t1057t1059t1059.001t1059.007t1060t1062t1063t1064t1068t1069t1069.001t1069.002t1070t1071t1071.001t1071.004t1076t1078t1078.004t1081t1082t1083t1084t1086t1087t1087.003t1088t1089t1090t1091t1098t1102t1105t1106t1110t1110.001t1110.002t1112t1113t1114t1119t1125t1129t1130t1132t1133t1140t1143t1147t1155t1156t1158t1176t1180t1185t1187t1189t1190t1192t1193t1194t1197t1199t1203t1204t1204.001t1204.002t1204.003t1205t1210t1211t1212t1480t1480 executiont1485t1486t1490t1491t1491.001t1495t1496t1497t1499t1499.001t1499.002t1499.003t1505t1518t1528t1529t1530t1534t1539t1543t1546t1548t1552t1553t1553.002t1553.003t1554.001t1554.003t1555t1556t1557t1561t1562t1562.001t1562.004t1562.008t1563t1564t1564.001t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.002t1568t1568.002t1569t1571t1573t1573 severityt1574t1578t1580t1583t1583.001t1583.005t1583.006t1584t1584.005t1585t1586t1587t1587.001t1587.003t1588t1588.002t1589t1589.001t1589.002t1590t1590 gathert1590.001t1591t1592t1592.004t1593t1594t1595t1595.001t1595.002t1595.003t1596t1596.001t1596.004t1597t1598t1598.003t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666ta0004 defenseta0009 commandtag managertagstags nonetags twittertaiwantamtargettargeted spyware campaigntargeted-attackstelecom servicestelecommunicationstelnet threattempletext dragtgt sessionthreatthreat intelligencethreatstime stampingtitletitle addedtitle headtlstls handshaketls issuingtlsv1toolstop destinationtop sourcetortor analysistotaltownsend sttraceback mantrapstreecetreece alfreytrojan malwaretrojanagenttrojandroppertrojanxtrue pragmatry drivetsaratsara brashearstulachtwittertypetype indicatortype mimetypetype nametype opastetype pdftypes ofui arialuk governmentukraineumbrella rankunauthorized access attemptunicodeunicode textuniqueunique tldunitedunited statesunknown cnameunknown nsunknown soaupdate secureupdaterurlsurls serverurls showus creationuser agentuser executionutc amazonutc googleutf8 textutf8 unicodeuwlusjbvalid signature. revoked.valuevalue statusvaryververdanaverdictverifyvgt.pl relatedvideovietnamvirlockvirtoolvirustotal apiwannacry attackwarningwdigestweb application exploitationweb exploitationweb securityweb trafficwelcomewhois informationwhois registrarwhois serverwifi passwordwillwin32 malwarewin32mydoom novwindirwindowwindows malwarewindows modulewindows nativewindows ntwmsspacer.gifworkers compensationwormwp enginewritewrite cx cachex00x00nxportxservery.a.s.yarayara detectionsyara rulezero click exploitzero-day exploitzqwfztj
Activity Timeline
Jul 8Jul 8
Threat Activity Heatmap
· Peak: 2025-07-08LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenMar 7, 2025
Last seenJul 8, 2025
Verified IOC
VirusTotal
Not checked
WHOIS
- registrar
- Cloud DNS Ltd
- description
- Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
- raw
- Admin City: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Billing City: REDACTED FOR PRIVACY Billing Country: REDACTED FOR PRIVACY Billing Organization: REDACTED FOR PRIVACY Billing Postal Code: REDACTED FOR PRIVACY Billing State/Province: REDACTED FOR PRIVACY Creation Date: 2024-02-21T07:31:04Z Creation Date: 2024-02-21T09:31:04.000Z DNSSEC: unsigned Domain Name: DNS-DYNAMIC.NET Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: transferPeriod https://icann.org/epp#transferPeriod Name Server: NS51.CLOUDNS.NET Name Server: NS52.CLOUDNS.NET Name Server: NS53.CLOUDNS.NET Name Server: NS54.CLOUDNS.NET Name Server: ns51.cloudns.net Name Server: ns52.cloudns.net Name Server: ns53.cloudns.net Name Server: ns54.cloudns.net Registrant City: 1f8f4166599d23ee Registrant Country: REDACTED FOR PRIVACY Registrant Email: 7771df67aa26d40cs@ Registrant Fax: 1f8f4166599d23ee Registrant Name: 1f8f4166599d23ee Registrant Organization: 1f8f4166599d23ee Registrant Phone: 1f8f4166599d23ee Registrant Postal Code: 1f8f4166599d23ee Registrant State/Province: 1f8f4166599d23ee Registrant Street: 1f8f4166599d23ee Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +359.885238998 Registrar IANA ID: 4336 Registrar Registration Expiration Date: 2028-02-21T00:00:00.000Z Registrar URL: https://www.cloudns.net Registrar WHOIS Server: whois.cloudns.net Registrar: Cloud DNS Ltd Registry Admin ID: REDACTED FOR PRIVACY Registry Billing ID: REDACTED FOR PRIVACY Registry Domain ID: 2857152332_DOMAIN_NET-VRSN Registry Expiry Date: 2028-02-21T07:31:04Z Registry Registrant ID: REDACTED FOR PRIVACY Registry Tech ID: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Updated Date: 2025-06-29T07:00:09Z Updated Date: 2025-06-29T10:12:20.000Z
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 11 months ago
Appeared in 4 threat reports