IOC Radar
DomainMediumSignal 72/100

r2.hashpoolpx.net

Location
Korea, Republic ofKorea, Republic of
First Seen
Dec 3, 2025
Last Seen
May 3, 2026
Dec 3
First Seen
199d ago
May 3
Last Seen
48d ago
4
Reports
source reports
72%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
72%
Signal Score
72 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

35 techniques

Feed Intelligence Summary

4 reports72% confidence
4
Source reports
72%
Confidence score
Category tags
additional iocsahnlabahnlab securityasecasiaatipcentercoinminercommand and controlcryptocurrencycryptocurrency threatscryptojackingcutfaildata exfiltrationdata store exposuredriveexecutable fileexploitation activityfileless malwarefinancehidden folderhttp attackindicatorinjection activitylateral movementlnkmalicious linksmalicious softwaremalwarenetworkprocess injectionransomwareresearchedresource hijackingself-signedsouth koreasystemdirectoryt1003t1020t1027t1041t1053t1053.005t1055t1059t1059.005t1071t1071.001t1082t1091t1102t1105t1112t1134t1140t1190t1199t1204t1204.001t1204.002t1213t1486t1496t1546t1547t1562.001t1564.001t1565t1566t1566.001t1574t1609threat actortor nodeusbusb driveweb securitywsvczxmrig

Activity Timeline

1 total obs
May 3May 3

Threat Activity Heatmap

· Peak: 2026-05-03
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
72
SIGNAL
Signal Score
72%
Confidence
4
Reports
First seenDec 3, 2025
Last seenMay 3, 2026

VirusTotal

Not checked

WHOIS

description
In February 2025, a trend of cryptocurrency mining malware dissemination via USB devices was confirmed by AhnLab Security Intelligence Center (ASEC) in Korea, and similar findings were later reported by Mandiant in July 2025. The identified malware variants include DIRTYBULK and CUTFAIL. The transmission mechanism typically involves a user inserting a USB drive and executing a shortcut file named "USB Drive.lnk." This shortcut leads to the execution of VBS malware characterized by a prefix "u" followed by a random six-digit number, stored within a hidden "sysvolume" folder.
raw
Create date: 2025-09-19 00:00:00 Domain name: hashpoolpx.net Domain registrar id: 69 Domain registrar url: http://tucowsdomains.com Expiry date: 2026-09-19 00:00:00 Query time: 2025-09-21 10:19:20 Registrant city: 1f8f4166599d23ee Registrant company: 1f8f4166599d23ee Registrant country: Saint Kitts and Nevis Registrant email: 307a4c8e0fe63c3es@ Registrant fax: 31d1617d95c9a75c Registrant name: 1f8f4166599d23ee Registrant phone: 31d1617d95c9a75c Registrant state: 5c1896d54f3bb30d Registrant zip: 1f8f4166599d23ee Update date: 2025-09-21 00:00:00

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 6 months ago · Last seen 1 month ago
Appeared in 4 threat reports