IOC Radar
DomainMediumSignal 86/100

rnicrosoft.com

Location
United StatesUnited States
First Seen
Feb 26, 2021
Last Seen
Jun 11, 2026
Feb 26
First Seen
1940d ago
Jun 11
Last Seen
10d ago
14
Reports
source reports
86%
Confidence
medium
Found in 14 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
86%
Signal Score
86 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

75 techniques

Feed Intelligence Summary

14 reports86% confidence
14
Source reports
86%
Confidence score
Category tags
accommodation and food servicesaccommodation servicesactive scanactive scanninganagramaptapt37asimasyncratbooking.com impersonationbotnetbotnet activitybrand impersonationbrute forcec2command & controlcommand and controlcommand executioncommunity managementcontactcontent sharingcopilotcredential accesscredential harvestingcredential stealingcredential stuffingcredential theftcredential-stealingcredential-stealing phishing campaigndanabotdata exfiltrationdata store exposuredcratdigital platformsdistributed attacksdomaindprk_aptdstipaddrenterprise securityexploitation activityfire harleyfood servicesftp brute forceguest serviceshighhomoglyph attackhospitality technologyhotelhotelshttp brute forceidentity & access exploitationindicatorinformation stealerinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityiocsiot securityit infrastructurekimsukykorea, democratic people's republic oflazarusloginlooklumma stealermalicious powershell activitymalicious softwaremalwaremalware deliverymalware distributionmarriott hotelsmarriott internationalmicrosoft defendermicrosoft logomicrosoft sentinelmicrosoft usersmobilemodelnetsupport ratnetworknetwork probingnetwork scanningnetwork service scanningnorth americanorth koreaofficeoffice documentspatch managementphishingphishing attackpowershellprocess injectionransomwareratreconnaissanceremcosremcos trojanremote accessremote access trojanremote servicesresearchedrestaurant operationsscripting attacksservice scansocial analyticssocial engineeringsocial mediasocial media marketingsocial media securitysocial networkingsoftware developmentsoftware vulnerabilitiesssh attackstorm-1865storm1865sugarmansupply chain attacksyn scant1003t1003.001t1003.005t1003.006t1005t1012t1016t1021t1021.001t1033t1036t1041t1046t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.005t1071t1071.001t1071.002t1071.004t1076t1078t1078.001t1078.004t1082t1083t1086t1105t1110t1110.002t1112t1113t1114t1119t1123t1133t1189t1192t1204t1204.001t1204.002t1486t1496t1499.002t1499.003t1534t1543t1547t1555t1559t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1573t1583t1583.001t1587.001t1588t1588.002t1588.004t1590.001t1595t1595.001t1595.002t1595.003t1598tcp scanthreat actortor nodetourismtrojantrojan malwaretwittertyposquattingudp scanunited statesuser engagementvenomratvisual deceptionvulnerability scanweb qattackxworm

Activity Timeline

1 total obs
Jun 11Jun 11

Threat Activity Heatmap

· Peak: 2026-06-11
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain rnicrosoft.com, originating from the United States, has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats. First observed on February

Threat ScoreHigh Risk
86
SIGNAL
Signal Score
86%
Confidence
14
Reports
First seenFeb 26, 2021
Last seenJun 11, 2026

VirusTotal

Not checked

WHOIS

registrar
TurnCommerce, Inc. DBA NameBright.com
domain rank
-1
raw
Admin City: Sejong-Shi Admin Country: KR Admin Email: [email protected] Admin Postal Code: 30063 Admin State/Province: SEJONG Creation Date: 2012-03-25T18:40:38.000Z Creation Date: 2012-03-25T18:40:38Z DNSSEC: unsigned Domain Name: RNICROSOFT.COM Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited Name Server: NS1.SEDOPARKING.COM Name Server: NS2.SEDOPARKING.COM Registrant City: 7c9d875bd403dba1 Registrant Country: KR Registrant Email: [email protected] Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: 8af78d82875c3096 Registrant Organization: 3432650ec337c945 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 6e385ff11f0564e5 Registrant Postal Code: f7d6d68b9b825ebd Registrant State/Province: 4aff2b5cf1e6ac1e Registrant Street: 2232a46d46038e17 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.7204960020 Registrar Abuse Contact Phone: 17204960020 Registrar IANA ID: 1441 Registrar Registration Expiration Date: 2026-03-25T18:40:38.000Z Registrar URL: http://www.NameBright.com Registrar URL: https://www.NameBright.com Registrar WHOIS Server: whois.NameBright.com Registrar WHOIS Server: whois.namebright.com Registrar: TurnCommerce, Inc. DBA NameBright.com Registry Admin ID: Not Available From Registry Registry Domain ID: 1708918298_DOMAIN_COM-VRSN Registry Expiry Date: 2026-03-25T18:40:38Z Registry Registrant ID: Not Available From Registry Registry Tech ID: Not Available From Registry Tech City: Sejong-Shi Tech Country: KR Tech Email: [email protected] Tech Postal Code: 30063 Tech State/Province: SEJONG Updated Date: 2024-03-31T03:06:08.601Z Updated Date: 2025-03-17T08:46:54Z
references
https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/, https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU, https://malpedia.caad.fkie.fraunhofer.de/actor/apt37, https://twitter.com/jfslowik/status/1212097943550873600, https://x.com/skocherhan/status/1970324550891241842, https://x.com/skocherhan/status/1970341247413035150, https://x.com/skocherhan/status/1970347261159739468, https://x.com/skocherhan/status/1970354544933838901, https://x.com/skocherhan/status/1970375570669425061, https://x.com/skocherhan/status/1970392758063087845, https://x.com/skocherhan/status/1970481497162555404, https://x.com/skocherhan/status/1970486968547959053, https://x.com/skocherhan/status/1970500145683816651, https://x.com/skocherhan/status/1970553005717024791, https://x.com/skocherhan/status/1970555530444730573, https://x.com/skocherhan/status/1970612969919914430, https://x.com/skocherhan/status/1970613433109221510, https://x.com/skocherhan/status/1970616329846608259, report-spark-bahamut.pdf, https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf, https://www.virustotal.com/gui/url/409c15e584634c6f8723f35ce9d8cf647aa1deec451f1122d611fefd76b103eb/detection, https://www.virustotal.com/gui/url/409c15e584634c6f8723f35ce9d8cf647aa1deec451f1122d611fefd76b103eb/details, https://www.virustotal.com/graph/embed/g86cd905edfb541499a2180e00057566b5f2d4484f2cc4196ac1cf5967f2d128e, https://www.alertasyseguridad.com/
subdomains count
96

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 10 days ago
Appeared in 14 threat reports