IOC Radar
DomainMediumSignal 0/100

redpiranha.net

Location
SeychellesSeychelles
First Seen
Aug 31, 2025
Last Seen
Apr 22, 2026
Aug 31
First Seen
297d ago
Apr 22
Last Seen
64d ago
2
Reports
source reports
0%
Confidence
medium
Found in 2 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Feed Intelligence Summary

2 reports0% confidence
2
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Apr 22Apr 22

Threat Activity Heatmap

· Peak: 2026-04-22
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain `redpiranha.net` has been identified as an Indicator of Compromise (IOC) in various threat intelligence feeds; however, a thorough review of its characteristics indicates a very low-risk profile. With a score of 0.0 and an explicit "Yes" whitelist status, this IOC is considered benign. Its presence in threat intelligence feeds appears to be primarily due to its inclusion in whitelist services rather than any malicious activity. Therefore, its mere inclusion in threat intelligence feed…

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
2
Reports
First seenAug 31, 2025
Last seenApr 22, 2026

VirusTotal

Not checked

WHOIS

description
Between June and July 2025, a series of coordinated brute force and password spraying attacks were orchestrated from a group of Ukrainian networks, including FDN3, VAIZ, and E-RISHENNYA, alongside a Seychelles-based network known as TK-NET. FDN3, attributed to FOP Dmytro Nedilskyi and identified as AS211736, was particularly active, targeting SSL VPN and RDP devices and executing hundreds of thousands of such attacks over spans of up to three days. The malicious infrastructure exploited shared IPv4 prefixes among itself and its affiliated networks to bypass blocklists, indicating a sophisticated evasive strategy likely managed by a common administrator.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 9 months ago · Last seen 2 months ago
Appeared in 2 threat reports