DomainHighVerifiedSignal 64/100

`secureserver.mobi`

Location

United States

First Seen

Dec 18, 2025

Last Seen

Mar 28, 2026

Dec 18

First Seen

184d ago

Mar 28

Last Seen

84d ago

Reports

source reports

64%

Confidence

high

Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

64%

Signal Score

64 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

64 techniques

Feed Intelligence Summary

5 reports64% confidence

Source reports

64%

Confidence score

Category tags

aaaaaaaa nxdomainabuseacceptaccept encodingaccess controlaccount securityactive scanaddress asadmin countryadobeaagentagent teslaalexaalexa topalienvault_ransomwareall scoreblueall searchamazonamazon legalanalyzer pasteanalyzer threatapacheappleapple iosapplication developmentartemisas autonomousascii textasiaasnone countryasnone germanyasnone iranasnone unitedattackauthorityavast avgavg clamavb59bn timestampbackbackdoorbad reputationbad requestbank securitybetabotblisterbobby fischerbodybody doctypebody lengthbonusboost mobilebot networksbotnet activitybotnet commandbrute forceca issuerscache entrycapturecentoscheckinchina unknownchromecisco devicecisco umbrellacivil societyck idck matrixck techniquescl0pcl0p ransomwareclassclick-based attackcloud infrastructurecloudflare raycloudfrontcnamecngo daddycode executioncode injectioncom cntcommandcommand & controlcommand and controlcommand decodecommand executioncommunication protocolcommunication technologiesconsumer goodscontactcontacted hostscontent typecontrol servercookiecopyright infringementcorecorpcorporate lawcountrycreation datecredential harvestingcredential stuffingcredential theftcrimecrime familiescrlf linecryptocurrencycryptocurrency threatscryptojackingcsc corporatecus oletcus starizonacve overviewdagadangerdanica implantsdatadata accessdata centerdata copyingdata exfiltrationdata store exposuredata theftdata transferdata uploaddcratddosde executiondeletedelete cdelphidelphi genericdem findeptdetection listdetections filedetections typedevelopment attdevelopment methodologiesdevice managementdevopsdigicert incdigicert tlsdigital mediadiv divdivi objectdnsdns attackdockdocument filedos exedownloaderdrop ordrwebdynadot incdynamicloaderemailsemotetencryptencrypt cnr3encryptionengineeringenterenter sourceenterprise networkingentertainment technologyentriesepik llcepsserroret toreuropeeurope/asiaexecutable fileexif standardexpirationexpiration dateexpiredexploitation activityexploitsf2f2f2 colorfacebook urlfakedout threatfalsefilesfiles domainfiles ipfiles locationfiles relatedfiles showfinal urlfinancefinancial institutionfinancial servicesfinlandfirstflagfor privacyformformbook cncfoundframe srcfrancefraudfri octfull nameg2 validitygambinogandi sasgeckogeneral fullgenovese crime familygermanygloxgmtngooglegoogle safegoogle urlgootloadergov intgraphguardgzip chromeheadershelvetica arialhelvetica neueheurhidehighhighly targetedhistorical sslhistory httphostinghostname addhostname enumerationhtmlhtml infohtml publichttp attackhttp responsehttp scannerhx88x89hybridiana idicann whoisicons libraryidentity & access exploitationietfdtd htmlimpactindicatorinetsim httpinfo headerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassinstallintelintellectual property lawinternet domainiocsiot securityipv4iranit infrastructurejeffrey reimerjekylljfifjohn t sashajonjpeg imagekey algorithmkey infokhtmlknown infection sourcekorplugkyle trooplaw practicelazarus grouplearnlegal consultinglegal researchlegal serviceslegal technologylifelimeratlink librarylinux x8664locallog idlombardi mafialooklowfilte alllte clte pulsemade easymafiamailpass mixedmainmalicious activitymalicious linksmalicious powershell activitymalicious softwaremalicious url repositorymaltiverse safemalwaremalware repositorymalware sitemarsna designmediamedia & entertainmentmedia distributionmedia sharingmediummeta namemetadata analysismetromillionminermineral processingminingmining equipmentmining operationsmining sustainabilitymining technologymitre attmobilemobile carriersmobile networksmobile securitymobile threatmodule loadmovedmsdefender sepmsiemultimedia productionmusicmusic industrymusic licensingmusic urlnamename md5name serversname tacticsname valuenamecheap incnavynetherlandsnetworknetwork infrastructurenetwork scanningnetwork trafficnetwormnew releasesnextnext associatedno datano expirationnorad trackingnorth americanuance chinanumberobjectoffice openok serveronline shoppingopenopen threatopenurl coperating systemoperating system securityord52c2 viaotx scoreblueoverlaypacking t1045page urlparentspassive dnspath traversalpattern matchpdb pathpdf dealerpe resourcepe32 linkerpegasuspegasus spywarephishingphishing attackphishing intelligencepleasepng imagepost httppostal codepragmapresent augpresent decpresent janpresent junpresent marprice listprivacy techprocess injectionprocess32nextwproduct developmentproratpulse pulsespulse showpulse submitpulsespulses otxpykspaquality assurancequeryradio hackingransomransomwareread creconnaissancerecord typerecord valueredacted forredlineredline stealerredrumrefreshregulatory compliancerelated nidsrelated pulsesrelated tagsremcos trojanremote accessremote servicesrenosresearchedresource extractionresource hashresource hijackingresponse finalrestartresults junretail tradereverse dnsrevilrgbaroundrsa sha256russiasafe sitesamplessamsungscams & fraudscan endpointsscreenshot pagescript urlsscripting attackssea xsearchsearch otxsectionsecurity operationssecurity policyserver responseserversserviceservice bsseychellesshellexecuteexwshowshow processshow techniqueshowingsilvasimdasingaporesitesizeskynetsocial engineeringsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingspanspan tdspawnsspeakez securusssl certificatestarfieldstatusstatus codestealerstreamstreaming servicesstreetstringssubject publicsucur2sucurisucuri securitysucuri websitesummarysupply chain attacksuricata streamsystemt1003t1005t1021t1021.001t1023t1027t1030t1031t1036t1036.004t1045t1053t1055t1057t1059t1059.001t1059.003t1060t1064t1069t1069.001t1070t1071t1071.001t1071.004t1078t1082t1083t1086t1105t1113t1119t1122t1129t1133t1143t1190t1195t1203t1204.001t1204.002t1480t1486t1496t1499.001t1499.002t1553t1553.002t1565t1566t1566.001t1566.002t1566.003t1567.001t1568t1568.002t1583t1583.001t1583.005t1584t1587.001t1589t1589.001t1590.001tag counttag managertagstags viewporttaiwan unknowntargets: intellectual propertytbodyteamteam malwareteam memscantelecom servicestelecommunicationstempletexttext contenttext dragtext typethankthreat actorthreat intelligencethreat preventionthreat rounduptiff imagetitletitle affixtitle hometitle styletld counttls webtofseetoolstor analysistor nodetr tbodytrackertrackers googletrojan downloadertrojan malwaretrojanspytsara brashearsttl valuetucowstucows domainstwittertypetype indicatortype mimetypetype nametyposquat infraumbrella rankunicodeunitedunited statesunknown xnunsafeurlsurls httpuser executionuseruinutc dnsv2 documentv3 serialvawtrakvbsvenom ratverdictverifyview whoisvirusvirutvitro marvt graphvulnerability scanwaypoint objectweb application attackweb application exploitationweb securityweb trafficwest domainswhat happenedwhois databasewhois lookupwhois recordwhois statuswin16 newin32 dynamicwin32 exewin32 malwarewin32:vitrowin32heur marwin32upatre junwindirwindows malwarewindows ntwritex sucurix92xacx93xafxc2x84xcnfexportxtrazbot

Activity Timeline

1 total obs

Mar 28Mar 28

Threat Activity Heatmap

· Peak: 2026-03-28

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Intelligence SummaryAI Generated

The domain **secureserver.mobi** has been identified as a critical indicator of compromise (IOC) associated with multiple cyber threats, including botnets, malware, phishing, and ransomware. Originating from the United States, this domain has been observed in at least one threat intelligence report, highlighting its significance in ongoing cyber operations. First detected on December

Threat ScoreMedium Risk

SIGNAL

Signal Score

64%

Confidence

Reports

First seenDec 18, 2025

Last seenMar 28, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

description: Unique entertainment scheme that seemed to have either intentionally usurped the copyrights of artists accepted for music licensing deals. It’s possible company was attacked. Is connected to a target. Several entities related to this music licensing company were attacked by Pegasus and Lazarus Group including Sony music. Christopher P.’Buzz’ Ahmann is related to the attacks. Unfortunately a Colorado IT company that lists individuals related to hacked studio as an employee has been cyber stalking target. The licensing company is unavailable online. Interesting mafia relationships. OTX auto populated - AFFixmusic.com is an unregistered domain name with an address address of 166.109.7, the same address as GoDaddy.Com.co.org, which is also known as Godaddy.{

`secureserver.mobi`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey