IOC Radar
DomainMediumSignal 58/100

korxddl.top

Location
United StatesUnited States
First Seen
May 22, 2025
Last Seen
Jun 15, 2026
May 22
First Seen
400d ago
Jun 15
Last Seen
11d ago
14
Reports
source reports
58%
Confidence
medium
Found in 14 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
58%
Signal Score
58 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

85 techniques

Feed Intelligence Summary

14 reports58% confidence
14
Source reports
58%
Confidence score
Category tags
aaaaaccount compromiseactive relatedactive scanningamadeyamazon cloudfront abuseascii textattackavailable frombodybotnetbrowser infectionbrute forcec2c2 activityck idclick-based attackclickfix urlclipboard data theftcnamazon rsacode executioncode injectioncommand and controlcommand executioncommunity managementcompromised accountcontent sharingcookie theftcookies stealercopy md5copy sha1copy sha256crack malwarecreation datecredential accesscredential harvestingcredential stealercredential stealingcredential stuffingcredential theftcrypto wallet stealercrypto wallet theftcus oamazoncustomer experiencedata accessdata copyingdata exfiltrationdata theftdata transferdeerstealerdetected malicious activitydgadigital commercedigital marketplacedigital platformsdistributed attacksdnssecdynamicloadere-commercee-commerce platformelementemailsentrieserrorevasion tacticsexploit deliveryfin scanfinancefinancial malwareform grabbingfraudftp brute forcegithub abusehashmd5highhttp attackhttp brute forcehttp c2https c2hybridindicatorinformation stealerinformation technologyinformation theftinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinput validation bypassinsertintercom-attachmentsiocit infrastructurekey algorithmkey infolocallooklummalumma infostealer activitylumma stealerlumma stealer activitylummastealerlummastealer c2m03 validitymalicious activitymalicious domainmalicious filesmalicious linksmalicious powershell activitymalicious softwaremalwaremalware activitymalware analysismalware campaign activitymalware campaign detectionmalware delivery mechanismmalware distributionmalware downloadmalware-as-a-servicemediummitre attmovedmoviename serversnetworknetwork scanningnorth americanull scannumberonline paymentonline retailonline shoppingopen directory exposureopendiropendir exposureoperating systempassive dnspassword stealerpath traversalpattern matchphishingphishing attackphishing campaignprocess injectionpulse submitpulses urlratreconnaissancerecord typeredlinerefreshremcos trojanremote accessremote access trojanremote servicesresearchedrestartscripting attackssearchserversshow techniquesmokeloadersocial analyticssocial engineeringsocial mediasocial media attacksocial media marketingsocial media securitysocial media threatsocial networkingsoftware developmentspanssh attackstatusstealerstringssubject publicsyn scant1003t1005t1016t1021t1021.001t1027t1030t1036t1041t1046t1055t1057t1059t1059.001t1059.003t1059.004t1059.005t1060t1063t1069.001t1071t1071.001t1071.004t1076t1078t1078.001t1081t1083t1086t1090.002t1102.002t1105t1110t1110.002t1113t1115t1140t1185t1189t1190t1204t1204.001t1204.002t1480t1483t1486t1496t1499.002t1499.003t1539t1547t1547.001t1552t1555t1555.001t1555.002t1555.003t1560t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.001t1567.002t1568t1571t1573t1583t1583.001t1583.002t1587.001t1588t1588.002t1588.006t1590.001t1595t1595.001t1595.002t1595.003t1598t1598.003themidathreat actortitle addedtoolstov vaiz partnertrojan malwarettl valuetwittertwitter malwaretwitter phishingudp port scanunitedunited statesunknown nsurlsuser engagementuser executionv3 serialverifyweb application exploitationweb crawlerweb crawlingweb data theftweb securitywin32 malwarewindows malwarewritewrite cx.com malwarex.com phishingxmas scanxworm

Activity Timeline

1 total obs
Jun 15Jun 15

Threat Activity Heatmap

· Peak: 2026-06-15
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
58
SIGNAL
Signal Score
58%
Confidence
14
Reports
First seenMay 22, 2025
Last seenJun 15, 2026

VirusTotal

Not checked

WHOIS

domain rank
-1
raw
Administrative city: REDACTED FOR PRIVACY Administrative country: REDACTED FOR PRIVACY Administrative state: REDACTED FOR PRIVACY Create date: 2025-05-19 00:00:00 Domain name: korxddl.top Domain registrar id: 303 Domain registrar url: http://publicdomainregistry.com Expiry date: 2026-05-19 00:00:00 Name server 1: ariadne.ns.cloudflare.com Name server 2: cleo.ns.cloudflare.com Query time: 2025-05-20 12:52:04 Registrant city: 1f8f4166599d23ee Registrant company: 1f8f4166599d23ee Registrant country: Russia Registrant email: 29e2c061f3c9524es@ Registrant fax: 31d1617d95c9a75c Registrant name: 1f8f4166599d23ee Registrant phone: 31d1617d95c9a75c Registrant state: 51ed65ac853a3c01 Registrant zip: 1f8f4166599d23ee Technical city: REDACTED FOR PRIVACY Technical country: REDACTED FOR PRIVACY Technical state: REDACTED FOR PRIVACY Update date: 2025-05-19 00:00:00
references
https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html, https://x.com/skocherhan/status/1929354519982301655, https://x.com/skocherhan/status/1929386457090654448, https://x.com/skocherhan/status/1929429181349191910, https://x.com/skocherhan/status/1929438346675180000, https://x.com/skocherhan/status/1929571609536266520, https://x.com/skocherhan/status/1929573013655060911, https://x.com/skocherhan/status/1929573023293513837, https://x.com/skocherhan/status/1929577205727695193, https://x.com/skocherhan/status/1929585474470912154, https://x.com/skocherhan/status/1929588086586974660, https://x.com/skocherhan/status/1929591805688807602, https://x.com/skocherhan/status/1929592834887127513, https://x.com/skocherhan/status/1929607728814530725, https://x.com/skocherhan/status/1929609936973050275, https://x.com/K_N1kolenko/status/1928357337816801788, https://x.com/K_N1kolenko/status/1928385459354231163, https://x.com/K_N1kolenko/status/1928392107787526391, https://x.com/skocherhan/status/1925722015492612251, https://x.com/skocherhan/status/1925729581354385723, https://x.com/skocherhan/status/1925759754615259528, https://x.com/skocherhan/status/1925906391417384965, https://x.com/skocherhan/status/1925907830881529995, https://x.com/skocherhan/status/1925923719660085327, https://x.com/skocherhan/status/1925956392965296497, https://x.com/skocherhan/status/1925958449579368705, https://x.com/skocherhan/status/1925963054061162973, https://x.com/skocherhan/status/1925966566866219299, https://x.com/skocherhan/status/1925968139696615875, https://x.com/skocherhan/status/1925971109343588853, https://x.com/skocherhan/status/1925978589243015202, https://x.com/skocherhan/status/1925992402638024968, https://x.com/skocherhan/status/1925996521226490277, https://x.com/skocherhan/status/1926027951033741400, https://x.com/FABO97662188/status/1932118778625532413, https://x.com/K_N1kolenko/status/1930217410386178320
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 11 days ago
Appeared in 14 threat reports