IOC Radar
DomainHighVerifiedSignal 36/100

jornais.org

Location
Saudi ArabiaSaudi Arabia
First Seen
Mar 27, 2025
Last Seen
Jun 2, 2026
Mar 27
First Seen
442d ago
Jun 2
Last Seen
10d ago
5
Reports
source reports
36%
Confidence
high
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
36%
Signal Score
36 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

156 techniques

Feed Intelligence Summary

5 reports36% confidence
5
Source reports
36%
Confidence score
Category tags
aaaaabuseaccount securityactive scanaddressadmin account compromiseadvanced persistent threatagentall octoseekall scoreblueallowed serverappleaptapt groupas56864 xeonas57416 llcascii textasiaasnone hongattackbad reputationbingbodybody lengthbotnetbotnet activitybrute forceca validchaoschina unknownchromecivilcivil servicescivilian targetingck t1003clickclick-based attackcnamecodecode executioncode injectioncommand and controlcommand executioncommunication protocolcommunication technologiescompromised routercontactcontacted urlscontent lengthcontent typecookiecopycorecountrycreation datecredential accesscredential harvestingcredential stuffingcrypdatadata accessdata copyingdata exfiltrationdata store exposuredata transferdch vddosddos attacksdefense evasiondefense-evasiondeletedelete cdelphidiscovery t1027distributed attacksdiv divdnsdns attackdomaindomainsdumping t1005dynamicloaderelectronic health recordsemailemailsemotetencryptencryptionendgameenglishenomenterprise securityerroret toreuropeexecutable fileexitexpiration dateexpiry dateexploitexploitation activityfacefalconfilesfiles matchingfinal urlfirmware infectionfirmware modificationfirstformfoundfrancefromgandi sasgenericgovernment technologygrumh3 phealth care and social assistancehealth information technologyhealthcare information systemshighhistorical sslhospital managementhostnamehostname enumerationhttphttp attackhttp responsehttp scannerhungary unknownhybridicann whoisicmp trafficidentity & access exploitationindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinstalls ipinternet of thingsiocsiosios malwareiot botnetiot securityiot/ics attackipv4it infrastructurejson datakey algorithmkey identifierkey infokgs0kls0known torkong unknownlateral movementlazarus grouplinklinuxlinux malwarelocallocal systemlockbitloginlolkekmacmakopmalicious activitymalicious linksmalicious softwaremalwaremalware analysismalware indicatorsmarkmonitor incmass surveillancemedical servicesmediummetametadata analysismethodmexico unknownmirai botnetmisc attackmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobile threatmovedms windowsmsienamename serversname verdictnation-state activitynetworknetwork intrusion detectionnetwork scanningnextnode trafficnsone as63949numberobserved emailopeniocoperating systemoperating system securityoperation endgameos credentialp2404panmappassive dnspatch managementpatient carepattern matchpcappdb pathpdfpdf reportpegasuspegasus projectpersistence mechanismsphishingphishing attackpolicepornpornhubprimary rootprivacy toolsprocess injectionpublic administrationpublic infrastructurepublic keypublic policypulse pulsespulse submitqakbotqueryquery timeransomransomexxransomwarereconnaissancerecord valueregistry t1018regszregulatory agenciesremote accessremote servicesremote systemrequest emailresearchedreverse dnsrticonrussia unknownryuk ransomwaresaudi arabiascan endpointsscript urlssearchserverserversservice scanshowshowingsigning casinkhole cookiesmssms exploitsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitiesspan divspan h3speedspywaressl certificatestatestate-promovedstate-sponsoredstatusstatus codestixstreamstringssubject keysubject publict matrixt1003t1003.001t1003.004t1004t1005t1012t1016t1018t1020t1021t1021.001t1021.006t1027t1030t1031t1036t1037t1037.003t1041t1053t1055t1056t1059t1062t1064t1068t1069.001t1070t1071t1071.001t1071.002t1071.004t1076t1078t1082t1084t1087t1105t1110t1113t1114t1114.003t1125t1130t1133t1156t1185t1187t1189t1190t1192t1193t1199t1203t1204t1204.001t1204.002t1205t1210t1211t1212t1485t1486t1490t1491t1495t1496t1497t1499.002t1499.003t1505t1529t1530t1539t1543t1546t1547t1548t1552t1553t1553.003t1555t1556t1557t1562t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1568.002t1569t1571t1573t1574t1578t1580t1583t1584t1585t1585.001t1586t1587t1587.001t1587.003t1588t1589t1589.001t1590t1590.001t1591t1592t1593t1594t1595t1596t1596.001t1596.004t1597t1598t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666tagstags twittertargeted spyware campaigntargeted-attackstechtelecom servicestelecommunicationstemptextthreat actorthreat rounduptitletitle telegramtofseetor nodetrang chtrojantrojan featurestrojan malwaretsara brashearstwittertwitter redirectukraine unknownunicode textuniqueunitedunited kingdomunited kingdom unknownupdate dateupdaterurlsursnifuser agentuser executionv3 serialvalue snkzvulnerability scanweb securityweb trafficwhois databasewhois recordwhois whoiswin32 exewin32 malwarewindowswindows malwarewritex509v3 keyyara detectionsyara ruleyoutubeyoutube channel hijackingzero click exploitzero-day exploit

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
36
SIGNAL
Signal Score
36%
Confidence
5
Reports
First seenMar 27, 2025
Last seenJun 2, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

registrar
NAMECHEAP INC
description
Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
domain rank
-1
raw
Admin City: REDACTED Admin City: Reykjavik Admin Country: IS Admin Country: REDACTED Admin Email: [email protected] Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Organization: REDACTED Admin Postal Code: 101 Admin Postal Code: REDACTED Admin State/Province: Capital Region Admin State/Province: REDACTED Creation Date: 2004-10-13T19:11:54.65Z Creation Date: 2004-10-13T19:11:54Z DNSSEC: unsigned Domain Name: jornais.org Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: transferPeriod https://icann.org/epp#transferPeriod Domain name: jornais.org Name Server: ns1.maisnet.com Name Server: ns2.maisnet.com Registrant City: 3495bcf1839c6374 Registrant City: ddbf76e4e8cee320 Registrant Country: IS Registrant Email: [email protected] Registrant Email: fb6ff66ef97c0518s@ Registrant Fax Ext: 3432650ec337c945 Registrant Fax Ext: 3495bcf1839c6374 Registrant Fax: 3432650ec337c945 Registrant Fax: 3495bcf1839c6374 Registrant Name: 3495bcf1839c6374 Registrant Name: 37bfbc24cafea5d2 Registrant Organization: 4b7a0912c26a13e2 Registrant Phone Ext: 3432650ec337c945 Registrant Phone Ext: 3495bcf1839c6374 Registrant Phone: 1c9a7bcdeaf95e9f Registrant Phone: 3495bcf1839c6374 Registrant Postal Code: 3495bcf1839c6374 Registrant Postal Code: f206c9d9737ad45d Registrant State/Province: 3e0204199d8ebf9c Registrant Street: 3495bcf1839c6374 Registrant Street: c6523241936df1ba Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.9854014545 Registrar IANA ID: 1068 Registrar Registration Expiration Date: 2025-10-13T19:11:54.65Z Registrar URL: http://www.namecheap.com Registrar WHOIS Server: whois.namecheap.com Registrar: NAMECHEAP INC Registrar: NameCheap, Inc. Registry Admin ID: REDACTED Registry Domain ID: 0ad948a0668d4f65ab48c86eb04b4a73-LROR Registry Expiry Date: 2025-10-13T19:11:54Z Registry Registrant ID: REDACTED Registry Tech ID: REDACTED Tech City: REDACTED Tech City: Reykjavik Tech Country: IS Tech Country: REDACTED Tech Email: [email protected] Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Organization: REDACTED Tech Postal Code: 101 Tech Postal Code: REDACTED Tech State/Province: Capital Region Tech State/Province: REDACTED Updated Date: 2024-08-27T17:45:13.79Z Updated Date: 2025-01-21T17:19:09Z
references
Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me, Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987, www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process, https://www.pornhub.com/video/search?search=tsara+brashears, ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com, api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com, girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com, https://sslproxy.gatewayclient3.v.hikops.com, api2ip.ua » External IP Lookup Service Domain, 83610e8d2924c9886b25ad530e8ad971.pornhub.com, Win32:PWSX-gen\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less, IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua), IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile, IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016, Win32:RansomX-gen\ [Ransom] Trojan:Win32/Neconyd.A, admin2.6cv25r3l.sbs, 6cv25r3l.sbs, Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: "admin2.6cv25r3l.sbs" possible high risk indicator source, https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0, Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), "Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset:  YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo, CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community, CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4, CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute, CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply, MALWARE BANKER EVADER, CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst, workers.dev [extraction • GET request attack], ddos.dnsnb8.net [command_and_control], www.supernetforme.com [command_and_control], https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html, http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing • python], https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network • Data collection • phishing], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing • virus network • Apple data collection ], CVE: CVE-2023-23397, 0-129-112027imap-intranet-pv-175-166.matomo.cloud, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption • unlocker], https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512, https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017, https://twitter.com/PORNO_SEXYBABES, sex-ukraine.net, http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg • humani-teens.com, feedercontroller.webcrawlingeap-prod-co4.binginternal.com, accessoire-telephones.fr • bks-tv.ru [telecom] • coltel.ru [telecom] • ceptelefondata.com.tr [data collection • USA] ts-astra.ru [telecom] wifi.ru, nexus.b2btest.ertelecom.ru, Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k, Tracking: trackyouremails.com • https://adservice.google.com.uy/clk, http://micrologin.ogspy.net/track/dhl-information-contact.html
subdomains count
8

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 1 year ago · Last seen 10 days ago
Appeared in 5 threat reports