IOC Radar
DomainMediumSignal 90/100

pickupweb.me

Location
SerbiaSerbia
First Seen
Feb 5, 2026
Last Seen
Jun 16, 2026
Feb 5
First Seen
139d ago
Jun 16
Last Seen
8d ago
14
Reports
source reports
90%
Confidence
medium
Found in 14 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
90%
Signal Score
90 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

44 techniques

Feed Intelligence Summary

14 reports90% confidence
14
Source reports
90%
Confidence score
Category tags
a serviceabcdabuseacceptaccessaccess controlaccountacidrainactive scanactive scanningad environmentad groupadfindadministratoraerospace & defenseaes keyafghanistanafricaagentahnlabai securityairlineaitbalbaniaalbanianalexalienvault_ransomwarealiveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbaidubankbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobblocklistbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcommunication technologiescommunications networkscompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcredential theftcredit card servicescritical infrastructurecrowdstrikecrphcryptercryptocryptocurrencycryptocurrency threatscryptojackingcs loaderctrltcubacuba ransomwarecustom loadercustomerloadercvsscybercyber espionagecyber espionage campaigncyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcyberespionage campaigncybersecurity architectcyclopsdailydark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydefraydefray777delphidemodenis legezodesktopdestroylist_phishingdetectdexterdfdownloaderdfir reportdfir teamdiaoyu loaderdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedkmcdkmc frameworkdknifedll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredrainerdridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemergency servicesemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenergy distributionenergy systemsenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitationexploitation activityexploits & vulnerabilitiesexport functionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfin7finalfinancefinance and insurancefinancial servicesfinancial systemsfinancial technologyfindfinspyfireeyefirstfirst detectionfishmasterfivehandsfleet managementflexfooterfoozerforceforeign affairsformformatfortunefraudfreight servicesfrom karakurtfrontfrpfunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobalglobal cyberespionage campaignglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergostgotrojgovernment facilitiesgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinstallintelintelligence gatheringintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4ipv6240eiso fileiso filesystemiso imageissuer cusissuer orgitaliaitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickoreankportscankronoslaterlateral movementlatinlazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux ebpf rootkitlinux systemlnk filelnklnklnklnkloaderloader malwarelocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremaritime transportmarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmilitary operationsmindminermitre attmobile carriersmobile networksmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynational securitynativezonenbtscannebulaneitherneo-regeorgneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork forensicsnetwork probingnevernewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceanlotusoffensivenimoil & gasoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopanamapandapartpasspassenger transportationpatchpathpawn stormpayloadpayloadbinpayment processingpcappdf documentpe headerphasephishingphishing attackphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpoliceponypoortryportpos softwareposhc2postpost bodypost methodpost-exploitation frameworkpotential scanpowerpower generationpower systemspowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitraasradarradminragnarlockerrail transportraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionrctea botnetreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote access toolremote access trojanremoverenamerenewable energyreportreportsrequestresearchresearchedresource hijackingreturn addressrevilrevilcontiritarobinhoodrollcoastrootrootkitrozenarubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescamscams & fraudscan behavioralscannerscoutscriptseadukeseatbeltsecurexsecurity groupssecurity policysekhmetsekurselectself-signedserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksingaporesizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspearphishingspeedsphwspidersprite spiderspyeyesslblsta-1030stabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestate-sponsoredstdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystembcsyswhispers2szdrft1014t1018t1021.001t1021.002t1027t1046t1053t1055t1059t1059.001t1068t1071t1071.001t1078t1090t1090.003t1102t1105t1190t1195t1204t1204.001t1204.002t1486t1496t1499.001t1505.003t1565t1566t1566.001t1566.002t1566.003t1567.001t1569.002t1583.001t1583.003t1583.004t1584.001t1584.003t1584.004t1588.002t1595.001t1595.002t1595.003ta471ta551ta578ta800taiwantalostargettargeted attackstargetimagetask managertcp portteamteamt5teamt5 teamt5techtelecomtelecom servicestelecommunicationstemptencenttgr-sta-1030theftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat preventionthreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertradetransferxl urltransferxl urlstransportation and warehousingtransportation infrastructuretransportation networkstransportation technologytravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unc6619unified accessunitunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevshellvulnerability scanwaf rulewater systemswdigestwealth managementweb application attackweblogic accesswebshellwherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
Jun 16Jun 16

Threat Activity Heatmap

· Peak: 2026-06-16
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
90
SIGNAL
Signal Score
90%
Confidence
14
Reports
First seenFeb 5, 2026
Last seenJun 16, 2026

VirusTotal

Not checked

WHOIS

registrar
GMO Internet Group, Inc. d/b/a Onamae.com
domain rank
-1
raw
Admin City: Kita-ku Osaka-shi Admin City: REDACTED Admin Country: JP Admin Country: REDACTED Admin Email: [email protected] Admin Organization: REDACTED Admin Organization: Whois Privacy Protection Service by VALUE-DOMAIN Admin Postal Code: 530-0011 Admin Postal Code: REDACTED Admin State/Province: Osaka Admin State/Province: REDACTED Creation Date: 2026-02-05T21:26:54Z DNSSEC: unsigned Domain Name: pickupweb.me Domain Status: ACTIVE Domain Status: ok https://icann.org/epp#ok Name Server: ns11.value-domain.com Name Server: ns12.value-domain.com Name Server: ns13.value-domain.com Registrant City: 3495bcf1839c6374 Registrant City: 7ccd7c87885017b3 Registrant Country: JP Registrant Email: [email protected] Registrant Email: fb6ff66ef97c0518s@ Registrant Fax Ext: 3432650ec337c945 Registrant Fax Ext: 3495bcf1839c6374 Registrant Fax: 3495bcf1839c6374 Registrant Fax: 811d807d7176d6c4 Registrant Name: 3495bcf1839c6374 Registrant Name: 690fd393ab541650 Registrant Organization: 690fd393ab541650 Registrant Phone Ext: 3432650ec337c945 Registrant Phone Ext: 3495bcf1839c6374 Registrant Phone: 3495bcf1839c6374 Registrant Phone: cf26f0a5102f4d2c Registrant Postal Code: 3495bcf1839c6374 Registrant Postal Code: 5e2e342d8b722e0d Registrant State/Province: 26f09c44d7b233f8 Registrant Street: 3495bcf1839c6374 Registrant Street: 87cd61bf52ceea7d Registrant Street: a2480ac8d23288c7 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +81.337709199 Registrar IANA ID: 49 Registrar Registration Expiration Date: 2027-02-05T21:26:54Z Registrar URL: http://www.onamae.com Registrar WHOIS Server: whois.discount-domain.com Registrar: GMO Internet Group, Inc. d/b/a Onamae.com Registrar: GMO Internet, Inc. Registry Admin ID: REDACTED Registry Domain ID: REDACTED Registry Expiry Date: 2027-02-05T21:26:54Z Registry Registrant ID: REDACTED Registry Tech ID: REDACTED Tech City: Kita-ku Osaka-shi Tech City: REDACTED Tech Country: JP Tech Country: REDACTED Tech Email: [email protected] Tech Organization: REDACTED Tech Organization: Whois Privacy Protection Service by VALUE-DOMAIN Tech Postal Code: 530-0011 Tech Postal Code: REDACTED Tech State/Province: Osaka Tech State/Province: REDACTED Updated Date: 2026-02-06T06:26:58Z Updated Date: 2026-02-10T21:27:31Z
references
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage, IOCs.3.csv, https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/, https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt
subdomains count
1

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 months ago · Last seen 8 days ago
Appeared in 14 threat reports