IOC Radar
DomainMediumSignal 81/100

mail2000tw.com

Location
KazakhstanKazakhstan
First Seen
Feb 26, 2021
Last Seen
May 1, 2026
Feb 26
First Seen
1934d ago
May 1
Last Seen
45d ago
9
Reports
source reports
81%
Confidence
medium
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
81%
Signal Score
81 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

55 techniques

Feed Intelligence Summary

9 reports81% confidence
9
Source reports
81%
Confidence score
Category tags
a serviceabcdabuseacademic institutionsacceptaccessaccountaccount brute forceaccount enumerationacidrainactive scanactive scanningad environmentad groupadfindadministratoraes keyafghanistanafricaagentahnlabai securityaitbalbaniaalbanianalexaliveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceapplication attackapplication layer protocolapplied researchaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewattack sourceauroraaustraliaauthenticationauthentication abuseauthentication attackauthentication attemptauthentication attemptsauthentication brute forceauthentication bypassauthentication failureautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbankbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebrute force attackbrute force attacksbughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachinachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcn_aptcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode injectioncoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcommunication protocolcompilecompromise attemptcomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential brute forcecredential stuffingcrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvsscybercyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsczechiadark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata encryptiondata enumerationdata exfiltrationdata riskdata store exposuredatabase brute forcedatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense evasiondefraydefray777delphidemodenial of servicedenis legezodesktopdetectdevelopment labsdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdnsdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppeducationeducational resourceseducational serviceseducational technologyefnoegregoregregor payloadelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointenumerationenumeration activityepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitationexploitation activityexploitation attemptexport functionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfinfin7finalfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpftpftp brute forcefunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739georgiagermanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhigher educationhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp brute forcehttp c2http gethttp methodhttp posthttp scannerhttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimapimap brute forceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinnovation managementinstallintelintro contiintrusion detectioninvalid login attemptsinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iran, islamic republic ofiso fileiso filesystemiso imageissuer cusissuer orgitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderk-12 educationkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickorea, republic ofkoreankportscankronoslaterlateral movementlatinlatvialazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogin attacklogin attemptlogin attemptslogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious activitymalicious filemalicious network activitymalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork activitynetwork attacksnetwork enumerationnetwork forensicsnetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hashnull scano2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopandapartpasspassword attackpassword attackspassword sprayingpatchpathpawn stormpayloadpayloadbinpcappdf documentpe headerphasephishingphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpolandpoliceponypoortrypop3 brute forceportpos softwareposhc2possible credential compromisepossible malicious activitypostpost bodypost methodpotential credential compromisepotential intrusionpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionproduct developmentprojector libraprophetprophet spiderprotectprotocol exploitationproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitr&d strategyraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissancereconnaissance activityredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote accessremote access attemptsremote servicesremoverenamereportreportsrequestresearchresearch & developmentresearch methodologyresearchedreturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarubeusrubyrun registryrussiarussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscanning activityscientific researchscoutscriptseadukeseatbeltsecurexsecurity groupssecurity operationssekhmetsekurselectserbiaserverserver helloserviceservice discoveryservice enumerationservice exploitation attemptservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsmb brute forcesmb scanningsmtpsmtp brute forcesnakesnortsnowsoarsocgholish netsupportsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyesql brute forcessh attacksslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksuspected compromisesvchostswedishswiftsynsyn scansyscallsysdigsystem accesssystem discoverysystembcsyswhispers2szdrft1016t1018t1021t1021.001t1021.002t1021.003t1021.006t1040t1046t1047t1053t1055t1059t1059.001t1059.004t1059.007t1065t1068t1070t1071t1071.001t1076t1077t1078t1083t1087t1110t1110.001t1110.002t1110.003t1110.004t1133t1189t1190t1199t1204t1204.001t1486t1496t1499.001t1499.002t1499.003t1539t1563t1565t1566t1569.002t1573t1589t1589.002t1590t1595t1595.001t1595.002t1595.003ta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp porttcp protocoltcp scantcp scanningteamteamt5teamt5 teamt5techtechnology researchtelecomtelecommunicationstelnet threattemptencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertransferxl urltransferxl urlstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkeyturkishturlatvrattwittertycoontypeuac0056udp scanukraineunauthorized accessunauthorized access attemptunauthorized loginunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunited statesunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavalid accountsvaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvnc protocolvobfusvoicevoidvollgarvscodevulnerability scanwaf rulewdigestweb application attackweb application scanningweb exploitationweb trafficweblogic accesswebshellwherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmasxmas scanxmrigxor algorithmsxssxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
May 1May 1

Threat Activity Heatmap

· Peak: 2026-05-01
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
81
SIGNAL
Signal Score
81%
Confidence
9
Reports
First seenFeb 26, 2021
Last seenMay 1, 2026

VirusTotal

Not checked

WHOIS

registrar
PDR Ltd. d/b/a PublicDomainRegistry.com
description
In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.
domain rank
-1
raw
Admin City: city Admin Country: CN Admin Email: [email protected] Admin Postal Code: 400338 Admin State/Province: Chongqing Creation Date: 2019-05-14T08:17:21Z DNSSEC: Unsigned DNSSEC: unsigned Domain Name: MAIL2000TW.COM Domain Status: REDEMPTIONPERIOD https://icann.org/epp#redemptionPeriod Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod Name Server: DNS10.PARKPAGE.FOUNDATIONAPI.COM Name Server: DNS11.PARKPAGE.FOUNDATIONAPI.COM Registrant City: 68b1eb648c5a1c80 Registrant Country: CN Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: 646942d5461c5f81 Registrant Organization: 3432650ec337c945 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 2ebb932a8a532c52 Registrant Postal Code: d96bcd76877adf9d Registrant State/Province: 84cefd742db4218a Registrant Street: c229494f55a4dfd0 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2013775952 Registrar IANA ID: 303 Registrar Registration Expiration Date: 2023-05-14T08:17:21Z Registrar URL: http://www.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Registrar WHOIS Server: whois.PublicDomainRegistry.com Registrar WHOIS Server: whois.publicdomainregistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registry Admin ID: Not Available From Registry Registry Domain ID: 2390697820_DOMAIN_COM-VRSN Registry Expiry Date: 2023-05-14T08:17:21Z Registry Registrant ID: Not Available From Registry Registry Tech ID: Not Available From Registry Tech City: city Tech Country: CN Tech Email: [email protected] Tech Postal Code: 400338 Tech State/Province: Chongqing Updated Date: 2023-06-25T09:02:19Z
references
https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html, https://labs.inquest.net/iocdb
subdomains count
4

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 1 month ago
Appeared in 9 threat reports