DomainMediumSignal 97/100
forest-entity.cc
Location
Saint Helena, Ascension and Tristan da CunhaFirst Seen
Feb 21, 2026
Last Seen
May 20, 2026
Feb 21
First Seen
114d ago
May 20
Last Seen
26d ago
12
Reports
source reports
97%
Confidence
medium
23/91
VirusTotal
detections
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
97%
Signal Score
97 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
12 reports97% confidence
12
Source reports
97%
Confidence score
Category tags
& brute forceabusech-threatfox-c2cacrstealeractive scanactive scanningarmasciiasyncratattack_techniqueautomated analysisautomated attackautomated scanautomated threatbad reputationbashblock-or-filter-listbot_activitybot_communicationbotnetbotnet activitybotnet_c2botnetdomainbrowser infectionbrute forcebrute force attackbrute force attemptbrute force attemptsbrute_forcec2c2 activityc2 communicationc2_communicationcampaign_identifierclipboard data theftcnc_servercnc_trafficcommand & controlcommand and controlcommand executioncommand_and_controlcommunication channelcommunication protocolcompromise attemptcompromised hostcompromised hostscompromised systemcompromised systemscookie theftcountloadercredential accesscredential harvestingcredential stuffingcredential_accesscrypto wallet theftcryptocurrencycurldanabotdata encryptiondata exfiltrationdata store exposuredattormmddosddos attacksdenial of servicedistributed attacksdnsdns attackdropped-by-amadeyduggan usa researchelfemotetencodedencryptionexeexecutable fileexploitexploitation activityexploitation attemptexternal attackextortionfakecaptchaform grabbingftpftp brute forceftp brute-forceftp bruteforceftp_bruteforcegafgytguloaderhajimeheodohtahttp brute forcehttp bruteforcehttp scannerhttp scanninghttp_enumerationhttpsicedididentity & access exploitationindicatorindicatorsindicators of compromiseinformation stealerinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinitial htainjection activityinternet of thingsiociot botnetiot securityiot/ics attackirckimsukylnkloaderloader httpsloader_dropperlualummalumma stealerlumma stealer activitylummastealermalicious linksmalicious network activitymalicious powershell activitymalicious softwaremalicious url activitymalicious_scriptmalwaremalware distributionmalware indicatorsmalware trafficmalware_distributionmanual-collectionmedium-riskmipsmiraimirai botnetmozimsinetworknetwork activitynetwork attacksnetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork_trafficnovel iocnovel-iocopen directory exploitationopendirpassword attackpassword attacksphishingphishing attackphishing campaignpossible malware infectionpotential botnet activitypotential exploitpotential intrusionpotential malwarepotential threat actorpowershellprecogprecog engineprocess injectionprotocol exploitationps1quasarratransomwarerarratrdp bruteforcerdp_bruteforcereconnaissanceremcosremcos trojanremcosratremote accessremote servicesremote_access_trojanresearchedrev-base64-loaderrmmsaint helena, ascension and tristan da cunhasalatstealersantastealerscams & fraudscanning activityscriptscripting attackssecurity operationsshsilverfoxsmartloadersmtpsmtp brute forcesnakekeyloggersocial engineeringsocial media attackssh attackssh bruteforcessh_bruteforcestealcstealer_keyloggerstixsystem disruptiont1005t1016t1018t1021t1021.001t1027t1027.001t1040t1041t1046t1047t1053t1055t1059t1059.001t1059.003t1059.004t1071t1071.001t1071.004t1076t1078t1083t1086t1105t1110t1110.001t1110.002t1110.003t1110.004t1189t1190t1204t1204.001t1204.002t1486t1490t1496t1499.002t1499.003t1539t1555t1563t1565t1566t1566.001t1566.002t1566.003t1573t1573.001t1587.001t1590t1590.001t1595t1595.001t1595.002t1595.003tag-124targeting databasetcp port: 21tcp port: 22tcp port: 3389tcp protocoltelnet threatthreat actorthreat intelligencetor nodetrojan malwaretwitter attack vectortype osintua-mshtaua-wgetunauthorized accessunauthorized access attemptunidentified threat actorunknown threat actoruser agent: mozilla/5.0vidarwallstealerweb securityweb trafficwgetwsgidavxwormzip
Activity Timeline
May 20May 20
Threat Activity Heatmap
· Peak: 2026-05-20LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated
The domain **forest-entity.cc**, originating from Saint Helena, Ascension and Tristan da Cunha, has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats. First observed on February
Threat ScoreHigh Risk
97
SIGNAL
Signal Score
97%
Confidence
12
Reports
First seenFeb 21, 2026
Last seenMay 20, 2026
WHOIS
- registrar
- NICENIC INTERNATIONAL GROUP CO., LIMITED
- description
- The following is a full list of people who have contributed to the website of "factu" and "grupobedfs" - a group that includes the names of two groups of individuals.
- domain rank
- -1
- raw
- Creation Date: 2026-02-04T15:49:48Z DNSSEC: unsigned Domain Name: FOREST-ENTITY.CC Domain Name: forest-entity.cc Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: EUGENE.NS.CLOUDFLARE.COM Name Server: PAISLEE.NS.CLOUDFLARE.COM Registrant Country: HK Registrant Email: 6eb609d996e182a6s@ Registrant Organization: 3432650ec337c945 Registrant State/Province: 7043151881d2a7f0 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +852.68581004 Registrar IANA ID: 3765 Registrar Registration Expiration Date: 2027-02-04T15:49:48Z Registrar URL: https://nicenic.com Registrar URL: https://nicenic.com/ Registrar WHOIS Server: whois.nicenic.com Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED Registry Domain ID: 207835260_DOMAIN_CC-VRSN Registry Domain ID: D202602041965385-COM Registry Expiry Date: 2027-02-04T15:49:48Z Registry Registrant ID: REDACTED FOR PRIVACY Updated Date: 2026-02-04T15:49:48Z
- references
- IOCs.2026.pdf, https://urlhaus.abuse.ch/browse/, https://ltna.com.au/cyber, https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/, https://x.com/skocherhan/status/2025082963088515260, https://x.com/skocherhan/status/2025082978095800638, https://x.com/skocherhan/status/2025083226935394677, https://x.com/skocherhan/status/2025096733361905776, https://x.com/skocherhan/status/2025099182004986026, https://x.com/skocherhan/status/2025107271546482773, https://x.com/skocherhan/status/2025218078313766963, https://x.com/skocherhan/status/2025245190211129580, https://x.com/skocherhan/status/2025247102322782425, https://x.com/skocherhan/status/2025247227665387558, https://x.com/skocherhan/status/2025247690938884373, https://x.com/skocherhan/status/2025264875816001899, https://x.com/skocherhan/status/2025269536555978954, https://x.com/skocherhan/status/2025274934553980963, https://x.com/skocherhan/status/2025285426290786489, https://x.com/skocherhan/status/2025296951978143827, https://x.com/skocherhan/status/2025297475645370685, https://x.com/skocherhan/status/2025299905955131594, https://x.com/skocherhan/status/2025303841906790416, https://x.com/skocherhan/status/2025326389642068383, https://x.com/skocherhan/status/2025331515387695182, https://x.com/skocherhan/status/2025335590531572143, https://x.com/skocherhan/status/2025339253232922838, https://analytics.dugganusa.com/api/v1/stix/master, https://github.com/pduggusa/dugganusa-research
- subdomains count
- 0
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 3 months ago · Last seen 26 days ago
Appeared in 12 threat reports