IOC Radar
TLP:WHITE5 IOCs

Malspam Campaign Uses DoubleClick Redirects to Deliver .NET Loader

CP
Cyber Press
Published June 6, 2026Original Report

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTURExtadts.ddns.netcatalogo.castrouria.c…afxwd.ddns.netCAPABILITYCobalt StrikeMETA StealerVICTIMunknown
Adversary
Infrastructure(5)
Capability(2)
Victim

Attack Flow10 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1566
1/10
Phishing
ActionSend malicious email attachment
The campaign begins with a malspam email containing a malicious HTML attachment.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise5

TypeIndicatorConfidenceScoreFirst Seen
Domainxtadts.ddns.net
c2intel-blogloader
High
58
Jun 7, 26
Domaincatalogo.castrouria.com
intel-blogloadermalware
High
72
Jun 5, 26
Domainafxwd.ddns.net
c2intel-blogloader
High
58
Jun 7, 26
Domainipapi.co
aptespionageexploit
High
55
Jun 7, 26
Domainad.doubleclick.net
intel-blogmalwarenetwork
High
55
Jun 7, 26

IOC Relationship Graph

IOC Relationship Graph5 total IOCs
Domain
Domain5Malware2REPORTMalspam Campaign Uses DoubCobalt StrikeMETA Stealer
scroll to zoom · drag to pan · click IOC to open