DomainHighVerifiedSignal 26/100
snshqch.co
Location
ChinaFirst Seen
Jul 8, 2025
Last Seen
Mar 23, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
26%
Signal Score
26 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports26% confidence
5
Source reports
26%
Confidence score
Category tags
aaaaabuseacceptaccount securityactiveaddressaddress googleadvanced persistent threatamazonanti-sandboxanti-vmantivm genericappleapplication developmentaptapt groupascii textasiaat&tattaustinauthbeijingberbewbingbodybotnetc2 communicationcapecape detectedcaretocharter collectioncharter communicationscheckinchinachina unknownchromecivilcivil servicescivilian targetingck idck techniquesclassclick-based attackcloudfront xcode injectioncomman_and_controlcommandcommand and controlcommand executioncommunication protocolcommunication technologiescompromised devicecompromised routerconcor referencredential harvestingcrimedata encryptiondata exfiltrationdata theftdata uploadddos attacksdefense evasiondefense-evasiondeletesdevelopment methodologiesdevicedevopsdgadisables systemdistributed attacksdnsdosdynamicloaderelectronic health recordsencryptencrypted connectionsendgameenterprise securityentrieserrorerror sepeu cyber policieseuropeevasion attexclude dataexe uploadexploitextiextortionextr datafailedfeel lostfilesfiles anomalousfiles domainfiles ipfiles locationfiles relatedfirmware infectionfirmware modificationflag unitedformformbook cncformbook stealergeneral fullgeneral infogeneric httpgermanygithub pagesgooglegovernment technologyh1 divhackershasheshealth care and social assistancehealth information technologyhealthcare information systemshighhio52 p1hospital managementhosthostname addhostname enumerationhtml smugglinghtml_smugglinghttp attackhttp scannerhttponly cachehttpshybrididran anvinboundinclude reviewindicatorinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectioninput validation bypassintelintelligence agency surveillanceinternet of thingsiocsiosios malwareiot botnetiot/ics attackipv4ipv4 addit infrastructurejavakeep alivelaw enforcement surveillancelazarus grouplearnlinklinuxlinux malwarelocallooklowfimacmail procmemmainmalicious activitymalicious linksmalicious powershell activitymalicious softwaremalwaremalware campaignmarkusmass surveillancemedical servicesmediummetadata analysismirai botnetmitre attmobilemobile carriersmobile malwaremobile networksmobile securitymobile spywaremovemovedmsiename serversname tacticsnetworknetwork activitynetwork communicationnetwork scanningnextnext associatednone googlenorth americansonso groupopenlocoperating systemoperating system securityoutbound trafficox sunnortparagonpassive dnspatch managementpath traversalpatient carepattern matchpcappdfpdf exploitpdf reportpegasuspegasus projectpeoplephishingphishing attackpolicepragmapresent augpresent julprocess injectionproduct developmentprotocol h2proxy modificationptr recordpublic administrationpublic folderpublic infrastructurepublic policypul datapushquality assurancequeries user nameransomwarereconnaissancerecord valuerefreshregexpregional securityregistry modificationregulatory agenciesrelated nidsrelated tagsremote accessremote access trojanremote servicesremote_accessrequest idresearchedrestartrestore deadreverse dnsreview iocsrouterunning webserverrwxsafe browsingsamsungsc typescriptscripting attacksse entersearchsecure pathsecurity operationssecurity tlsshowshow techniqueshowingskynetsmssms exploitsocial engineeringsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware testingsoftware vulnerabilitiessonyspanspawnsstatestate-promovedstate-sponsoredstatusstealerstealth hidden extensionstixstringsstylesuggested iocssupply chain attackswedensystem disruptiont1001t1003t1003.001t1003.004t1004t1005t1011t1016t1018t1019t1020t1021t1021.001t1021.006t1027t1036t1037t1037.003t1041t1045t1053t1055t1055.001t1056t1057t1059t1059.001t1059.004t1059.007t1060t1062t1064t1068t1069.001t1070t1071t1071.001t1071.004t1076t1078t1078.004t1082t1083t1084t1086t1087t1088t1094t1105t1110t1113t1114.002t1119t1130t1133t1156t1185t1187t1189t1190t1192t1193t1195t1199t1202t1204t1204.001t1204.002t1205t1210t1211t1212t1218.001t1480t1485t1486t1490t1491t1495t1496t1497t1499.002t1499.003t1505t1529t1530t1539t1543t1546t1547t1552t1553t1553.003t1553.004t1555t1556t1557t1562t1563.002t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1569t1571t1573t1574t1578t1580t1583t1584t1585t1586t1587t1587.001t1587.003t1588t1589t1589.001t1590t1590.001t1591t1592t1593t1594t1595t1596t1596.001t1596.004t1597t1598t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666targeted spyware campaigntargeted-attackstelecom servicestelecommunicationstexasthreat actorthreat intelligencethreat stealthtitle errortoolstraffic maskingtrojan downloadertrojan malwaretypes ofunitedunited kingdomunited statesunknown nsunknown soaurlsus noteuser executionverdictverifyvirgin islandsvirtoolvirusvtapiweb application exploitationweb exploitationweb securityweb trafficwin32 malwarewindows malwarewindows ntwixwormwritewrite cx githubyara suricatazero click exploitzero-day exploit
Activity Timeline
Mar 23Mar 23
Threat Activity Heatmap
· Peak: 2026-03-23LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
26
SIGNAL
Signal Score
26%
Confidence
5
Reports
First seenJul 8, 2025
Last seenMar 23, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- registrar
- Gandi SAS
- description
- Operation Endgame 2: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or Mirai (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
- domain rank
- -1
- raw
- Admin City: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Creation Date: 2020-05-19T06:49:32Z DNSSEC: unsigned Domain Name: snshqch.co Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: ns-1507.awsdns-60.org Name Server: ns-1595.awsdns-07.co.uk Name Server: ns-436.awsdns-54.com Name Server: ns-715.awsdns-25.net Registrant City: 1f8f4166599d23ee Registrant Country: US Registrant Email: f651612a2f356ad3s@ Registrant Fax Ext: 1f8f4166599d23ee Registrant Fax: 1f8f4166599d23ee Registrant Name: 1f8f4166599d23ee Registrant Organization: d4aa9c56eaa22fb7 Registrant Phone Ext: 1f8f4166599d23ee Registrant Phone: 1f8f4166599d23ee Registrant Postal Code: 1f8f4166599d23ee Registrant State/Province: b1952dfc047df18a Registrant Street: 1f8f4166599d23ee Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +33.170377661 Registrar IANA ID: 81 Registrar URL: whois.gandi.net Registrar-Reseller Name: GANDI SAS Registrar: Gandi SAS Registry Admin ID: REDACTED FOR PRIVACY Registry Domain ID: REDACTED FOR PRIVACY Registry Expiry Date: 2026-05-19T06:49:32Z Registry Registrant ID: REDACTED FOR PRIVACY Registry Tech ID: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Updated Date: 2025-04-19T06:52:42Z
- references
- Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse, https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12, device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US • Spectrum, Geo McKinney, Texas, United States (US) — AS •AS11427 - TWC-11427-TEXAS, US, Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications, This is not shown. Route • 184.92.0.0/16 (Route of ASN) PTR, syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4 184.92.221.96, https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com, truist.palantirfoundry.com • nissansandbox.palantirfoundry.com, device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T, Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes, Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect, Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell, Ransomware File Modifications Exec Crash, Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys, Request Queries Keyboard Layout Antivm Generic Disk Resumethread, Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious, Contains Pe Overlay Queries Locale Api Language Check Registry
- subdomains count
- 0
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 11 months ago · Last seen 2 months ago
Appeared in 5 threat reports