IOC Radar
DomainMediumSignal 0/100

s3.tebi.io

Location
AustraliaAustralia
First Seen
Nov 28, 2021
Last Seen
Feb 13, 2026
Nov 28
First Seen
1655d ago
Feb 13
Last Seen
118d ago
3
Reports
source reports
0%
Confidence
medium
Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Feed Intelligence Summary

3 reports0% confidence
3
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Feb 13Feb 13

Threat Activity Heatmap

· Peak: 2026-02-13
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Intelligence SummaryAI Generated

This indicator of compromise (IOC), `s3.tebi.io`, has been identified as benign and carries a very low-risk score of 0.0. Its inclusion in certain threat intelligence feeds, such as Cisco-Talos, Public Attackers, and SOCRadar-APT Feed, does not indicate malicious activity in this instance. Instead, it has been explicitly whitelisted by reliable services, signifying that it is not currently associated with any active threats. This means that encountering `s3.tebi.io` within the network is highly …

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
3
Reports
First seenNov 28, 2021
Last seenFeb 13, 2026

VirusTotal

Not checked

WHOIS

description
The Wiz Research Team identified a remote code execution (RCE) exploitation attempt targeting a honeypot server running TeamCity, facilitated by an exposed Java Debug Wire Protocol (JDWP) interface. JDWP, a debugging tool in Java applications, became the entry point for the attacker due to its misconfiguration—most notably, the lack of authentication and access control when exposed to the internet. This allowed the attacker to execute arbitrary commands remotely, allowing for the deployment of a cryptomining payload shortly after the vulnerable machine was accessible. Upon accessing the honeypot, the attacker confirmed the JDWP interface was active by sending a handshake request. This interaction not only validated the interface but also provided details about the Java process and its loaded.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 3 months ago
Appeared in 3 threat reports