DomainMediumSignal 88/100
msonline.help
Location
EstoniaFirst Seen
Feb 5, 2026
Last Seen
Jun 6, 2026
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
88%
Signal Score
88 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
12 reports88% confidence
12
Source reports
88%
Confidence score
Category tags
#supportsitewebsiteabuse #rootcertificatefailure #cryptographicfa serviceabcdabuseacceptaccessaccountacidrainactive scanactive scanningad environmentad groupadfindadministratoraerospace & defenseaes keyafghanistanafricaagentahnlabai securityairlineaitbalbaniaalbanianalexalienvault_ransomwarealiveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbaidubankbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcommunication technologiescommunications networkscompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcredit card servicescritical infrastructurecrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustom loadercustomerloadercvsscybercyber espionagecyber espionage campaigncyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcyberespionage campaigncybersecurity architectcyclopsdailydark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefraydefray777delphidemodenis legezodesktopdetectdexterdfdownloaderdfir reportdfir teamdiaoyu loaderdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedkmcdkmc frameworkdknifedll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemergency servicesemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenergy distributionenergy systemsenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitationexploitation activityexploits & vulnerabilitiesexport functionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfin7finalfinancefinance and insurancefinancial servicesfinancial systemsfinancial technologyfindfinspyfireeyefirstfirst detectionfishmasterfivehandsfleet managementflexfooterfoozerforceforeign affairsformformatfortunefreight servicesfrom karakurtfrontfrpfunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobalglobal cyberespionage campaignglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergostgotrojgovernment facilitiesgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinstallintelintelligence gatheringintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4ipv6240eiso fileiso filesystemiso imageissuer cusissuer orgitaliaitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickoreankportscankronoslaterlateral movementlatinlazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux ebpf rootkitlinux systemlnk filelnklnklnklnkloaderloader malwarelocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremaritime transportmarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmilitary operationsmindminermitre attmobile carriersmobile networksmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynational securitynativezonenbtscannebulaneitherneo-regeorgneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork forensicsnetwork probingnevernewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceanlotusoffensivenimoil & gasoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopanamapandapartpasspassenger transportationpatchpathpawn stormpayloadpayloadbinpayment processingpcappdf documentpe headerphasephishingphishing attackphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpoliceponypoortryportpos softwareposhc2postpost bodypost methodpost-exploitation frameworkpotential scanpowerpower generationpower systemspowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitraasradarradminragnarlockerrail transportraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionrctea botnetreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote access toolremote access trojanremoverenamerenewable energyreportreportsrequestresearchresearchedreturn addressrevilrevilcontiritarobinhoodrollcoastrootrootkitrozenarubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptseadukeseatbeltsecurexsecurity groupssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspearphishingspeedsphwspidersprite spiderspyeyesslblsta-1030stabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestate-sponsoredstdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystembcsyswhispers2szdrft1014t1018t1021.001t1021.002t1027t1046t1053t1055t1059t1059.001t1068t1071t1071.001t1078t1090t1090.003t1102t1105t1190t1195t1204t1204.001t1204.002t1486t1499.001t1505.003t1565t1566t1566.001t1566.002t1566.003t1569.002t1583.001t1583.003t1583.004t1584.001t1584.003t1584.004t1588.002t1595.001t1595.002t1595.003ta471ta551ta578ta800taiwantalostargettargeted attackstargetimagetask managertcp portteamteamt5teamt5 teamt5techtelecomtelecom servicestelecommunicationstemptencenttgr-sta-1030theftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertradetransferxl urltransferxl urlstransportation and warehousingtransportation infrastructuretransportation networkstransportation technologytravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unc6619unified accessunitunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevshellvulnerability scanwaf rulewater systemswdigestwealth managementweb application attackweblogic accesswebshellwherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv
Activity Timeline
Jun 6Jun 6
Threat Activity Heatmap
· Peak: 2026-06-06LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated
The domain **msonline.help**, originating from Estonia, has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats. First observed on February
Threat ScoreHigh Risk
88
SIGNAL
Signal Score
88%
Confidence
12
Reports
First seenFeb 5, 2026
Last seenJun 6, 2026
VirusTotal
Not checked
WHOIS
- domain rank
- -1
- raw
- Administrative city: Phoenix Administrative country: United States Administrative email: [email protected] Administrative state: AZ Billing city: Phoenix Billing country: United States Billing email: [email protected] Billing state: AZ Create date: 2025-05-01 00:00:00 Domain name: msonline.help Domain registrar id: 1479.0 Domain registrar url: whois.namesilo.com Expiry date: 2026-05-01 00:00:00 Name server 1: DEAN.NS.CLOUDFLARE.COM Name server 2: DORTHY.NS.CLOUDFLARE.COM Query time: 2025-12-23 19:45:21 Registrant address: 4450dc66882e5a1e Registrant city: 7a96e04d2a2490b3 Registrant company: 566bb814321610e4 Registrant country: United States Registrant email: [email protected] Registrant name: 6282d5b2665f253a Registrant phone: ae3ea006f3cca5c3 Registrant state: e1c7c1911395a3cf Registrant zip: c692e0cb8851b160 Technical city: Phoenix Technical country: United States Technical email: [email protected] Technical state: AZ Update date: 2025-12-17 00:00:00
- references
- https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage, IOCs.3.csv, https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
- subdomains count
- 0
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 months ago · Last seen 8 days ago
Appeared in 12 threat reports