IOC Radar
DomainMediumSignal 100/100

mfa-gov-tr.cloud

Location
UkraineUkraine
First Seen
Oct 23, 2024
Last Seen
Jun 12, 2026
Oct 23
First Seen
611d ago
Jun 12
Last Seen
14d ago
17
Reports
source reports
99%
Confidence
medium
Found in 17 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

41 techniques

Feed Intelligence Summary

17 reports99% confidence
17
Source reports
99%
Confidence score
Category tags
abuseacademic institutionsaccount securityaerospace & defenseamazonapplied researchaptapt29archive exfiltrationasiaattackaws iamaws securebotnetbotnet activitybrute forcec2c2 communicationcertcisacivil servicescode injectioncommand and controlcommunication technologiescompromised hostcredential accesscredential harvestingcredential stuffingcrlfcybervolkdane archiwumdane obrazudata encryptiondata exchangedata exfiltrationddos attackdefensedefense contractingdefense logisticsdefense systemsdefense technologydevelopment labsdevice securitydgadistributed attacksearth koshcheiedgecast weducationeducational resourceseducational serviceseducational technologyenergyenergy distributioneuropeexploitextortionfindforeign affairsftp brute forcegovernment technologyhigher educationhttp brute forcehybridiam identityidentity centerimpair defensesimphaszindicatorindonesiainformation technologyinfrastructure acquisitionreconnaissanceinnovation managementintelintrusion detectionit infrastructurejavascript zju samak-12 educationlatest newslearnlub ciekaplikumalicious activitymalicious activity indicatorsmalicious linksmalicious softwaremalwaremalware distributionmidnight blizzardmilitary operationsmobile carriersmobile networksnational securitynazwa smyczkinazwapliku manetworknetwork securitynorth americaoil & gasoperating system securitypejzaszphishingphishing attackpower generationpower systemsprocess injectionproduct developmentprotectprotocol exploitationpublic administrationpublic infrastructurepublic policypyrdpr&d strategyransomwarerdp campaignregulatory agenciesremote accessremote servicesremoteurl marenewable energyresearchresearch & developmentresearch methodologyresearchedrgbarogue threatrogue_rdpscannerscientific researchsecure dataservicesmallsocial engineeringsoftware developmentspear-phishingssh attackstopsuomisystem disruptionszybki startt1016t1021t1021.001t1027t1040t1041t1055t1059t1059.007t1071t1071.001t1076t1078t1083t1105t1110t1110.002t1190t1203t1204.001t1486t1490t1496t1499.001t1499.002t1499.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1573t1583t1587.001t1588t1590.001t1595t1619targettechnology researchtekst asciitelecomtelecom servicestelecommunicationstelnet threattest zgodnocithreat actorthreat insightsthreat intelligencetoolstor exit nodestrend microtrend visionukraineunauthorized devicesunited statesvision onew przypadkuweb exploitationweb securityweb shellwhaszwykrycia yaraz bardzoz terminatoramizero trustzip archivezts device

Activity Timeline

1 total obs
Jun 12Jun 12

Threat Activity Heatmap

· Peak: 2026-06-12
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **mfa-gov-tr.cloud** has emerged as a significant indicator of compromise (IOC) linked to multiple cyber threats, first observed on October

Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
17
Reports
First seenOct 23, 2024
Last seenJun 12, 2026

VirusTotal

Not checked

WHOIS

registrar
PDR Ltd.
description
References: https://community.riskiq.com/article/f1657bc5/indicators, confidence_level: 25, last_seen_utc: Not_Available
domain rank
-1
raw
Admin City: GDPR Masked Admin Country: GDPR Masked Admin Email: [email protected] Admin Organization: GDPR Masked Admin Postal Code: GDPR Masked Admin State/Province: GDPR Masked Creation Date: 2024-08-14T12:27:51.309Z Creation Date: 2024-08-14T12:27:51Z DNSSEC: Unsigned DNSSEC: unsigned Domain Name: MFA-GOV-TR.CLOUD Domain Name: mfa-gov-tr.cloud Domain Status: REDEMPTIONPERIOD https://icann.org/epp#redemptionPeriod Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: pendingDelete https://icann.org/epp#pendingDelete Domain Status: redemptionPeriod https://icann.org/epp#redemptionPeriod Domain Status: serverHold https://icann.org/epp#serverHold Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: dns11.parkpage.foundationapi.com Name Server: dns12.parkpage.foundationapi.com Registrant City: 7bc26f5a5e70d417 Registrant Country: DE Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 7bc26f5a5e70d417 Registrant Name: 7bc26f5a5e70d417 Registrant Organization: 7bc26f5a5e70d417 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 7bc26f5a5e70d417 Registrant Postal Code: 7bc26f5a5e70d417 Registrant State/Province: 3124a84464d1c661 Registrant Street: 7bc26f5a5e70d417 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.2013775952 Registrar Abuse Contact Phone: +971.72046060 Registrar IANA ID: 303 Registrar Registration Expiration Date: 2025-08-14T12:27:51Z Registrar URL: www.publicdomainregistry.com Registrar WHOIS Server: whois.publicdomainregistry.com Registrar: PDR Ltd. Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registry Admin ID: GDPR Masked Registry Domain ID: DO_11df265e36c25b467b83c991f6a3b81a-ARUBA Registry Domain ID: Not Available From Registry Registry Expiry Date: 2025-08-14T12:27:51.309Z Registry Registrant ID: GDPR Masked Registry Tech ID: GDPR Masked Tech City: GDPR Masked Tech Country: GDPR Masked Tech Email: [email protected] Tech Organization: GDPR Masked Tech Postal Code: GDPR Masked Tech State/Province: GDPR Masked Updated Date: 2025-09-24T01:10:31.153Z Updated Date: 2025-09-24T01:10:31Z
references
https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt, https://threatfox.abuse.ch/export/csv/recent/, https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html, https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/, https://cert.gov.ua/article/6281076
subdomains count
1

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 14 days ago
Appeared in 17 threat reports