IOC Radar
DomainMediumSignal 84/100

mailer-daemon.online

Location
Iran, Islamic Republic ofIran, Islamic Republic of
First Seen
Dec 1, 2022
Last Seen
May 5, 2026
Dec 1
First Seen
1289d ago
May 5
Last Seen
39d ago
12
Reports
source reports
84%
Confidence
medium
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
84%
Signal Score
84 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

44 techniques

Feed Intelligence Summary

12 reports84% confidence
12
Source reports
84%
Confidence score
Category tags
active scanactive scanningaptapt35apt42asiaaustraliaauthaccj8rr4cb1a httpbelleza equiposbotnetbotnet activitybrute forcecertciudadcivil servicescold-callingcommand and controlcommunication protocolcredential accesscredential harvestingcredential stuffingcredential theftdata encryptiondata exfiltrationdata store exposuredatabase securityddosdenial of servicedistributed attacksencryptionexploitation activityfinforeignftpftp brute forcefuturegeuanrtsuy httpgovernment technologyhemmjcbviy httphttp brute forcehttp scanneridentity & access exploitationilengb httpsindicatorinitial accessinjection activityinjection attacksinsiktinsikt groupintrusion detectioniranirgckgcsjdfhty httplateral movementleer msmaldocmalicious softwaremalwaremediamobile threatnetworknetwork attacksnetwork intrusionnetwork probingnetwork protocolnetwork scanningnetwork securityngooceaniaphishingphishing attackpolticaprivacyprocess injectionpublic administrationpublic infrastructurepublic policyreconnaissanceregulatory agenciesremote accessremote servicesresearchedsalascannersir banisocial engineeringssh attacksupply chain attacksynt1021t1021.001t1021.002t1040t1055t1059t1059.003t1059.004t1059.005t1071.001t1076t1077t1110t1110.001t1110.002t1110.003t1189t1190t1210t1486t1496t1499.001t1499.002t1499.003t1563t1565t1566.001t1566.002t1566.003t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1592t1592.001t1592.002t1592.003t1595t1595.001t1595.002t1595.003tcp protocolthreat actorthreat analysisthreat intelligencetinyurltor nodeturkeytwo-factor authenticationtyposquatunauthorized access attemptutensiliosvaporalvistavulnerability scanwcsaejyhqy httpweb loginweb trafficwishlist vistawordxktfqqpmda httpxmasyas forum

Activity Timeline

1 total obs
May 5May 5

Threat Activity Heatmap

· Peak: 2026-05-05
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **mailer-daemon.online** has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threat activities originating from Iran. First observed on December

Threat ScoreHigh Risk
84
SIGNAL
Signal Score
84%
Confidence
12
Reports
First seenDec 1, 2022
Last seenMay 5, 2026

VirusTotal

Not checked

WHOIS

description
This is a pulse created to house CND internal IOCs that we want to monitor, please add title to explain what the IOC and a further description of if this is needed.
domain rank
-1
raw
Create date: 2025-01-13 00:00:00 Domain name: mailer-daemon.online Domain registrar id: 1068 Domain registrar url: https://namecheap.com Expiry date: 2026-01-13 00:00:00 Name server 1: dns1.registrar-servers.com Name server 2: dns2.registrar-servers.com Query time: 2025-01-14 12:14:31 Registrant company: 4b7a0912c26a13e2 Registrant country: Iceland Registrant email: 29e2c061f3c9524es@ Registrant state: 3e0204199d8ebf9c Update date: 2025-01-13 00:00:00
references
https://www.ic3.gov/Media/News/2024/240927.pdf, https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank, 2640656.misp-json, https://go.recordedfuture.com/hubfs/reports/cta-2022-1129.pdf, https://mailer-daemon.net/file=sharing=system/file.id.x=xxxxxx/first.check.html, https://continuetogo.me/Sec=Tab=settings/id=xxxxx=xxxxx/continue-to-settings.php, https://mailer-daemon.net/file=sharing=system/file.id.X=xxxxxx/continue-to-settings.php, https://mailer-daemon.live/sec=file=sharing/check.id=xxxxxxxx=xxxxxx/index.php, https://tinyurl.ink/8tio97cy/Iran%20nuke.docx
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 1 month ago
Appeared in 12 threat reports