DomainHighVerifiedSignal 64/100

`mailserver.downloadnow-1.com`

Location

United States

First Seen

Mar 26, 2025

Last Seen

Jun 2, 2026

Mar 26

First Seen

444d ago

Jun 2

Last Seen

11d ago

Reports

source reports

64%

Confidence

high

Found in 4 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

64%

Signal Score

64 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

107 techniques

Feed Intelligence Summary

4 reports64% confidence

Source reports

64%

Confidence score

Category tags

aaaaabuseacceptaccount compromiseaccount securityaccountcompromiseactive relatedactive scanactive scanningad fraudad tevdagadded activeaddressaddress domainadjfprem ordadvertising network abuseadwindaffectedplatform: adultcontentaffectedplatform: socialmediaage86400 setage900alienvault_ransomwareall imagesall ipv4all scoreblueall searchallmul vbaget4alphacrypt cncamericaamerica asnamerica flaganalyzeandroidanyone elseapeaksoft iosappleapple iosapple iphoneapple itunesapple privateapplication developmentarizonaarkeistealerascii textashburnasnoneasnone denmarkassembly commonassembly nameasyncratattackattackvector: malwareattackvector: phishingatx dcitauctionauthenticationauthorauthor avatarauthorityauthority keyav detectionsavg win32b documentb59bn timestampbabebackdoorbad reputationbae systemsbanloadbayrobbeaconbecomebecome ablack propagandablur filterbodybody doublesbody htmlbody lengthbonusbitcoinborland delphibotnetbotnet activitybrand abusebrand reputationbrian sabeybrowse scanbrowserbrute forcebrute force attackc2ca issuerscache controlcallback phishingcanadacanada unknowncanecapecertified peerchapter leadcharacter assassinationcheckercheckincheckschecks amountchecks systemchromeck idck matrixclassclickclick-based attackcloud infrastructurecloudfront xclr versioncnamecnccodecode executioncode injectioncolibri loadercommandcommand & controlcommand and controlcommand executioncommunication protocolcommunity managementcompromised websitesconfirm httpscontactcontacted hostscontentcontent poisoningcontent scrapingcontent sharingcontent typecontinuecookiecopycorecountrycowboycreation datecredential accesscredential harvestingcredential stuffingcredential theftcrlf linecryptbotcryptocurrencycsc corporatecus cnletcvss v2cyber defensecyber libelcyber threatscycbotdailydanabotdarkdatadata accessdata breachdata brokersdata centersdata collectiondata copyingdata exfiltrationdata leakdata misusedata problemdata reportsdata rtversiondata scrapingdata store exposuredata transferdata uploaddays agoddosdeletedelete cdelete seedelphi genericdetailsdevelopment methodologiesdevopsdga domaindigital platformsdisplaynamedistributed attacksdiv divdiv sectiondns attackdnssecdockdomaindomainsdomains showdonedos borlanddouble clickdraiedropped cdynamicloadere weowe64eecc ca2ecc ca3ecdsaeliteemailsemails metaemotetencryptencryptionenomenter senter scenter soudcetdienter soudseentriesentries relatedentropy chi2entry pointerroret toret trojanet useragentseuropeeurope/asiaexchange openexcludeexclude dataexclude suggesexe sizeexecutable fileexpirationexpiration dateexpiration httpexploitexploitation activityexternal-resourcesextrextr dataextraextra dataextrac pleaseextraction dataextre amanuavextri dataextri includeextri includedf httpsfailedfalsefalse informationfastfilelfilel datafilesfiles cfiles deletedfiles domainfiles ipfiles relatedfinal urlfinancefinancial servicesfindfind peoplefind sfind suxxesteufireeyeflagfooterfor privacyformformbook cncforums newsfoundfound titlefoundryfrancefraudgate parkwaygeckogeneral fullgeneratorgenericgermanyget involvedget nagetdc copyimagegmtngo daddygo httpgooglegoogle safegoogle searchgpt analyzergraphgraph summarygreengrumguardguloaderhackerhacker newshackershardcore pornhauthdi adheader intelheadershighhigh attackhistorical sslhostilehostnamehostname addhostname analysishostname enumerationhtmlhtml infohttphttp attackhttp responsehttp scannerhttponly xhttpshybridicann whoisico rtgroupiconidentifier ididentity & access exploitationids detectionsieedge chrome1iframesimpactincludeinclude reviewindicatorindicators showindiicatun datainfo headerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassinteliociocsiosiot securityipv4ipv4 addipv6ireland unknownissuerit infrastructureitemitunesjeffrey reimerkey identifierkey infokeyskhtmlknown torkompozlearnlearn moreleastlegal issueslemon duckless seeli ullimitedlink librarylinkslinux x8664litespeed xloaderidlocallog idloki passwordlovelsan franciscom brian sabeymalicious activitymalicious advertisingmalicious downloadmalicious linksmalicious softwaremalicious urlsmalvertisingmalwaremalware campaignmalware distributionmalware hostingmalware httpmanuany browsemark b sabeymedia centermediummetameta httpmeta namemetadata analysismetadata headermetromiles2misc httpmitre attmobile threatmodule loadmonths agomost relevantmovedms visualms windowsmsiemsilmustang pandaname md5name serversname tacticsnamesnegative seonetherlandsnetworknetwork probingnetwork scanningneutralnextnext associatednivdortnjratnone googlenordvpnsetupnorth americanumbernumbersoff bluromainonline harassmentonline reputation managementonloadonv incmdeopenopen threatoperating systemoperating system securityorionorion logoorion wiotx scoreblueoutputpaid parkingparisparking crewspassive dnspassword attackspatchedpath maxpath traversalpattern matchpay-per-click fraudpe resourcepe32 executablepe32 protectorpegasuspersonal dataphishingphishing attackphishing attemptsplaypleaseplugxpng imagepolitical influencepornporn relatedporn videospornography distributionportpostal codepragmapresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent seppressprimary requestprocessprocess injectionprocess32nextwproduct developmentprotocol h2pulsepulse pulsespulse submitpulsespulses otxpulses urlpushputspythonquality assuranceransomransomwareread crealteck audiorecentreconnaissancerecord valueredacted forrefloadapihashregistry keysregistry runrelatedrelated nidsrelated pulsesrelated tagsremcosremote accessremote servicesreport spamreputation damageresearchedresource hashresults julresults junreverse dnsreviewreview datareview excludereview locsrgbarndcharrndhexrobots contentrole titlerouterticon englishrticon neutralrticon russianruntimerussiarva entrysabeysabey datasabey data centerssafe browsingsafebaesakula malwaresale worldwidesamsungsc datasc typescams & fraudscanscan endpointsscannerscript domainsscript scriptscript urlssearchsearch engine manipulationsearch resultssearchtsaseard typesecure serversecurity tlsseenserver responseserversserviceserving ipsettings cshared csharedink csharedinkarsa csharedinkbgbg csharedinkcscz csharedinkdadk cshowshowingsim unlocksinkhole cookiesitesizeskipslcc2smearsmear campaignsnatchsneaky serversocial analyticssocial engineeringsocial mediasocial media abusesocial media manipulationsocial media marketingsocial media securitysocial networkingsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsortspainspamspawnssptoxspytox ogssl certificatestart folderstatusstatus codestcastealerstopstop typstop xstreamstreams sizestreetstringsstrivenstrong namesubject publicsuggessugges datasuggested ocssummarysuspswippert1005t1012t1021t1021.001t1023t1027t1030t1031t1047t1051t1053t1055t1055.013t1056t1056.001t1057t1059t1059.007t1060t1068t1069t1069.001t1070t1071t1071.001t1071.004t1078t1080t1082t1098t1105t1110.001t1110.002t1110.003t1110.004t1112t1113t1114t1119t1123t1125t1129t1133t1140t1143t1155t1189t1190t1199t1203t1204t1204.001t1204.002t1210t1480t1486t1496t1499.001t1499.002t1499.003t1506t1518t1518.001t1534t1553t1553.002t1565t1566t1566.001t1566.002t1566.003t1567.001t1568t1568.002t1583t1583.001t1583.005t1584t1584.004t1586t1586.001t1587.001t1588t1588.006t1589t1589.001t1590t1590.001t1591t1591.002t1592t1593t1594t1595t1595.001t1595.002t1595.003t1596t1597t1598t1599t1600t1601t1602t1608t1608.001t1609ta569tags viewporttargettbmvidteamsteen studentstewdactext/htmlthird-party riskthird-party-cookiesthreatthreat actorthreat exchangethreat roundupthreatactor: brian sabeytitletitle addedtitle spytoxtls webtmobile metrotofseetofsee botnettoolstop tsarator nodetotaltrellixtridenttrojantrojan malwaretrojandroppertrojanspytryporntsaratsara brashearstsara typetwittertwitter migrationtyp indicalontypetype indicatortype mimetypetype nametype win32typesubuntuunauthorizedunicodeuniqueunitedunited kingdomunited statesunknown nsunknown soauny inuuueurlsurls showurlscan httpsurlvoidus urlscanuseruser engagementuser executionutc googlev3 serialv3 severityvalue snkzvaryverdictvideosvideos shoppingviewvirgin islandsvirtoolvirustotal apivoidvpnvulnerability scanwatchwatch tsarawebweb application attackweb application exploitationweb exploitationweb moreweb securityweb trafficwebsitewebsite defacementweinedoewse netwest domainswhoiswin16 newin32 dynamicwin32 exewin32 malwarewindirwindowswindows malwarewindows ntwordpress vulnerabilitieswormwritewrite cwritten cx requestx00x00x3 oletx509v3 subjectxml titlexorddosxportxslayerxxx videosyandexyara detectionsyara rule

Activity Timeline

1 total obs

Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), identified as a domain name, represents a significant and active threat to organizational cybersecurity. With a high score of 64.12 and explicit links to prominent ransomware and APT groups, its presence is a strong signal of potential compromise or targeted attack activity. The associated malware families, including various Trojans, backdoors, and ransomware, suggest a broad array of potential hostile actions, such as unauthorized access, data exfiltration, a…

Threat ScoreMedium Risk

SIGNAL

Signal Score

64%

Confidence

Reports

First seenMar 26, 2025

Last seenJun 2, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

registrar: NAMECHEAP INC
raw: Admin City: Reykjavik Admin Country: IS Admin Email: [email protected] Admin Organization: Privacy service provided by Withheld for Privacy ehf Admin Postal Code: 101 Admin State/Province: Capital Region Creation Date: 2025-07-08T04:46:25.00Z Creation Date: 2025-07-08T04:46:25Z DNSSEC: unsigned Domain Name: DOWNLOADNOW-1.COM Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain name: downloadnow-1.com Name Server: DNS1.NAMECHEAPHOSTING.COM Name Server: DNS2.NAMECHEAPHOSTING.COM Name Server: dns1.namecheaphosting.com Name Server: dns2.namecheaphosting.com Registrant City: ddbf76e4e8cee320 Registrant Country: IS Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: 37bfbc24cafea5d2 Registrant Organization: 4b7a0912c26a13e2 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 1c9a7bcdeaf95e9f Registrant Postal Code: f206c9d9737ad45d Registrant State/Province: 3e0204199d8ebf9c Registrant Street: c6523241936df1ba Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.6613102107 Registrar Abuse Contact Phone: +1.9854014545 Registrar IANA ID: 1068 Registrar Registration Expiration Date: 2026-07-08T04:46:25.00Z Registrar URL: http://www.namecheap.com Registrar WHOIS Server: whois.namecheap.com Registrar: NAMECHEAP INC Registrar: NameCheap, Inc. Registry Domain ID: 2998487620_DOMAIN_COM-VRSN Registry Expiry Date: 2026-07-08T04:46:25Z Tech City: Reykjavik Tech Country: IS Tech Email: [email protected] Tech Organization: Privacy service provided by Withheld for Privacy ehf Tech Postal Code: 101 Tech State/Province: Capital Region Updated Date: 0001-01-01T00:00:00.00Z Updated Date: 2025-08-05T23:08:20Z

`mailserver.downloadnow-1.com`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy