IOC Radar
DomainMediumSignal 92/100

script-dev.buzz

Location
GermanyGermany
First Seen
Apr 23, 2026
Last Seen
Jun 3, 2026
Apr 23
First Seen
49d ago
Jun 3
Last Seen
8d ago
9
Reports
source reports
92%
Confidence
medium
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
92%
Signal Score
92 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

19 techniques

Feed Intelligence Summary

9 reports92% confidence
9
Source reports
92%
Confidence score
Category tags
cloakingeducationeuropefakecaptchafinance and insurancegermanyghost cmsindicatorinformation stealerinfostealerinjection activitymalwaremanual-collectionmass compromisemediamedium-risknetworkransomwareresearchedscams & fraudsql injectiont1027t1055t1059.001t1059.003t1059.007t1071.001t1102t1105t1132.001t1140t1190t1204t1212t1218.011t1547.001t1566t1573t1583.001t1583.006targeting databasethreat actortype osint

Activity Timeline

1 total obs
Jun 3Jun 3

Threat Activity Heatmap

· Peak: 2026-06-03
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **script-dev.buzz** has emerged as a significant indicator of compromise (IOC) linked to malicious activities originating from Germany. First observed on April

Threat ScoreHigh Risk
92
SIGNAL
Signal Score
92%
Confidence
9
Reports
First seenApr 23, 2026
Last seenJun 3, 2026

VirusTotal

Not checked

WHOIS

description
Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.
domain rank
-1
raw
Administrative city: REDACTED FOR PRIVACY Administrative country: United States Administrative state: state Billing city: REDACTED FOR PRIVACY Billing country: United States Billing state: state Create date: 2026-04-17 00:00:00 Domain name: script-dev.buzz Domain registrar id: 3765.0 Expiry date: 2027-04-17 00:00:00 Name server 1: clayton.ns.cloudflare.com Name server 2: delilah.ns.cloudflare.com Query time: 2026-04-18 15:12:31 Registrant city: 1f8f4166599d23ee Registrant country: United States Registrant email: 6eb609d996e182a6s@ Registrant name: 1f8f4166599d23ee Registrant state: 0a65c0763b460f05 Registrant zip: 1f8f4166599d23ee Technical city: REDACTED FOR PRIVACY Technical country: United States Technical state: state Update date: 2026-04-17 00:00:00
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 month ago · Last seen 8 days ago
Appeared in 9 threat reports