IOC Radar
DomainMediumSignal 15/100

hackig.xyz

Location
PolandPoland
First Seen
Jul 18, 2025
Last Seen
Apr 20, 2026
Jul 18
First Seen
339d ago
Apr 20
Last Seen
64d ago
4
Reports
source reports
15%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
15%
Signal Score
15 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

52 techniques

Feed Intelligence Summary

4 reports15% confidence
4
Source reports
15%
Confidence score
Category tags
.plaaaaabuseacceptaccessaccess ta0001access ta0006account securityactive scanactivity miraiaddressaddress domainadware malwareafricaag albertoag ingoair forcealertsalienvault_ransomwareall quietall scoreblueall searchanalyzer pasteandarielandroidanomalous fileappleas35994 akamaiasiaasnone dnsasnone germanyasnone relatedasnone unitedaustraliaaustriaav detectionsavg clamavbackdoorbad reputationbelgiumbiosbitsbodybotnet activitybrazilbrian sabeyca1 odigicertcapecatalog treecharter communicationscheckinchilechina unknownchromecityclickable urlscloud infrastructurecnamecnapple publiccnc beaconcodecode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontent typecontinent nacontrol ta0011cookiecopycountry uscp buscreation datecrypcur conocus cndigicertcyber folkscyber warfareczechia unknowndatadata accessdata copyingdata exfiltrationdata redacteddata store exposuredata transferddosddos attacksdefense evasiondeletedelete cdelete shadowsdelphidemonbotdenverdenver coloradodetected m1discovery e1082div divdns attackdockdomaindynamicloadere1203 datae1564 hiddenec oidecc sha384echo requestee edcje4jekyxeemailsemails infoencryptencryptionentrieseofaeerroretpro malwareeuropeeurope/asiaevasion ob0006expiration dateexpires thuexploitexploit noneexploitationexploitation activityfakedout threatfederation asnfilesfiles domainfiles ipfiles locationfiles matchingfin ivdofirstflag unitedfor privacyformformatfoundfull namegafgytgermanygoogle safegrumguardhashes capehelloworldhichinahide artifactshighhistorical sslhitmenholidaycheck aghome networkhondurashostinghostnamehostname enumerationhttphttp attackhttp headershttp hosthttp requesthttp scannerhuawei hg532huawei remotehungaryicann whoisicmp trafficids detectionsimmobilien agimpact ob0008impact ta0040inboundinc validityindicatorindonesiainformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinstallinternet of thingsiocsiosiot botnetiot securityiot/ics attackipv4irelandireland unknownissuing cait infrastructurejapankenyakey algorithmkey identifierkraupakurt waltherlabel reflectedlabs pulseslicesslnmplnmp alookm1magic pdfmail spammermainmain stmalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware distributionmalware trafficmalware wormmedia centermediummemory patternmetametadata analysismethod statusmexicominiigd upnpmiraimirai botnetmirai variantmitmmitre attmobilemobile securitymobile threatmodule loadmoroccomovedms windowsms wordmsdefender aprmsiename serversnation-state activitynetherlandsnetworknetwork scanningnextnidsnondnsnorth americanumberob0005 defenseoceaniaodigicert incomg freesitesopenoperating systemoperating system securityotx scoreblueoverview ippacking t1045passive dnspattern domainspayload hellopdb pathpdf documentpdf executionpe resourcepedrazperuphishingphy samopleasepolandpoland unknownpornportpostpowershellprivacyprivacy adminprivacy techprocess injectionprocess32nextwproject pipulse pulsespulse submitpulsespuma sepushquantum fiberransomransomwareread crealtek sdkreconnaissancerecord typerecord valuerecycle binredacted forrefle2registry arinrelated nidsrelated pulsesremote accessremote servicesresearchedresolverrorreverse dnsrpcsrsa tlsrussiasabeysamplessandboxscams & fraudscan endpointsscript domainsscript urlsscripting attackssearchserce internetuserverserver caserver errorserversshellshowshowingsingaporesinkhole cookieslcc2slovakiasoap commandsocial media securitysoftware developmentsoftware exploitationsouth americaspainspamspammerssdeepssl certificatestatusstreamsubject keysuspsweepswippert1003t1005t1012t1021t1021.001t1023t1027t1030t1036t1040t1045t1047t1055t1057t1059t1059.001t1059.007t1060t1064t1069.001t1071t1071.001t1078t1082t1086t1089t1105t1106t1112t1119t1129t1133t1140t1143t1189t1189 foundt1190t1203t1204t1204.001t1204.002t1210t1485t1486t1496t1499.002t1564t1565t1566t1573t1587.001t1589.001t1590.001taiwantechtextthailandthreat actorthreat roundthreat rounduptimo salzsiedertitletls hybridtofseetoolstor nodetotaltptjswtrid adobetrojantrojan featurestrojan malwaretrojandroppertrojanspytsara brashearsttl valuetulachtype gettype nameunitedunited kingdomunited statesupdated dateurlsurls httpurls httpsusersv3 serialvalue snkzvhashvietnamvirtoolvirusweb exploitationweb securityweb trafficwhoiswhois databasewhois lookupwhois recordwhois whoiswin32 exewin32 malwarewindowswindows malwarewindows ntworldwritewrite cwsasendx cachexe exportyara detectionsyara ruleyomi hunterzenbox

Activity Timeline

1 total obs
Apr 20Apr 20

Threat Activity Heatmap

· Peak: 2026-04-20
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
15
SIGNAL
Signal Score
15%
Confidence
4
Reports
First seenJul 18, 2025
Last seenApr 20, 2026

VirusTotal

Not checked

WHOIS

domain rank
-1
raw
Create date: 2022-07-15 Domain name: hackig.xyz Domain registrar id: 1861 Domain registrar url: http://porkbun.com Expiry date: 2023-07-15 Name server 1: lakas.ns.cloudflare.com Name server 2: may.ns.cloudflare.com Query time: 2022-07-17 14:49:22 Registrant address: 3267309318f7846c Registrant city: 3267309318f7846c Registrant company: 0281ccf0525b55d2 Registrant country: United States Registrant email: 3267309318f7846cs@ Registrant fax: 3267309318f7846c Registrant name: 0281ccf0525b55d2 Registrant phone: 3267309318f7846c Registrant state: d27db43c72d10b85 Registrant zip: 3267309318f7846c Update date: 2022-07-15
references
DISTINCTIO8.pdf, FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string, IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set, Tofsee: 'google.com' | https://www.gov50.icu |, ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...), Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk, Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing, hubt.pornhub.com | www.pornhub.com | pornative.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/, www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/, Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da, IDS Detections: WGET Command Specifying Output in HTTP Headers, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution, Yara Detections: is__elf , DemonBot, Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout, FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, IDS Detections: Andariel Backdoor Activity (Checkin), Alerts: dead_host nids_malware_alert network_icmp nolookup_communication, DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2, IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST, IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy, http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com, apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com, autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com, * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit, https://tulach.cc/ | tulach.cc |, http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com, google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl, 18teen.net | teensnow.com | grannies-porn.net | pornmd.com, www.pornhubselect.com | pornhub.software
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 11 months ago · Last seen 2 months ago
Appeared in 4 threat reports