DomainHighVerifiedSignal 26/100

`toansub.pro`

Location

Netherlands

First Seen

Jul 8, 2025

Last Seen

Apr 7, 2026

Jul 8

First Seen

339d ago

Apr 7

Last Seen

67d ago

Reports

source reports

26%

Confidence

high

Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

26%

Signal Score

26 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

159 techniques

Feed Intelligence Summary

5 reports26% confidence

Source reports

26%

Confidence score

Category tags

aaaaabuseacceptaccount securityactive scanaddressaddress domainaddress googleadvanced persistent threatakamaialertsanalysis dateapache xappleaptapt groupascii textasiaassociated urlsatomaustraliaautorunav detectionsavast avgbad reputationbingbodybody doctypebotnetbotnet activitybrute forcech uacivilcivil servicescivilian targetingck idck matrixclick-based attackcnletcode executioncode injectioncommandcommand and controlcommand executioncommunication protocolcommunication technologiescompromised routercontent typecopy md5copy sha1copy sha256creation datecredential harvestingcredential stuffingcrlf linedata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondefense-evasiondeletedelphidetailed errordetections namedevelopment attdistributed attacksdnsdns attackdnssecdocument filedomains showdropperdynamicdynamicloadere safeelectronic health recordselton avundanoencryptencryptionenterprise securityentrieserrorerror juleu alexeyeu cyber policieseuropeexecutable fileexploitexploitation activityfileless malwarefilesfiles domainfiles ipfiles locationfiles relatedfiles showfirmware infectionfirmware modificationflagflag unitedfoundfrance asngeckogenericgoogle safegovernment technologyheader http2health care and social assistancehealth information technologyhealthcare information systemshighhospital managementhostilehostinghostname addhostname enumerationhostname queryhttp scannerhybridicmp trafficidentity & access exploitationids detectionsii llcindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelinternet of thingsiosios malwareiot botnetiot securityiot/ics attackit infrastructureitre attkeyskhtmllazarus grouplearnless whoislinklinuxlinux malwarelocallookmacmalicious linksmalicious softwaremalwaremass surveillancemediamedical servicesmediummetadata analysismirai botnetmitre attmobilemobile carriersmobile malwaremobile networksmobile secmobile securitymobile threatmodel secmovednamename servername serversname tacticsnation-state activitynetherlandsnetworknetwork scanningnetwork trafficnextnext associatednext passivenext relatednext yaranreumobjectoceaniaogoogle trustok transferoletopenurl coperating systemoperating system securityoutbound m3overview ippacking t1045passive dnspatch managementpath traversalpatient carepattern matchpdfpe filepegasuspegasus projectperfect privacyphishingphishing attackpoliceportprecreate readpresentpresent aprpresent augpresent decpresent febpresent janpresent julpresent marpresent novpresent octpresent sepprocess injectionpublic administrationpublic infrastructurepublic policypulse pulsespulse submitpulses nonepushransomransom:win32/cvereadread creconnaissancerecord valuerefreshregional securityregistry modificationregistry runregulatory agenciesrelated nidsrelated tagsremote servicesresearchedresponse iprestartresults janresults julreverse dnsreviewsafe browsingscript urlssearchserver responseserviceshowshow processshow techniqueshowingsizesmssms exploitsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitiesspanspawnsssl castatestate-promovedstate-sponsoredstatusstringssuspt1003t1003.001t1003.004t1004t1005t1012t1016t1018t1020t1021t1021.001t1021.006t1023t1027t1030t1031t1036t1037t1037.003t1040t1041t1045t1053t1055t1056t1057t1059t1060t1062t1064t1068t1069.001t1070t1071t1071.001t1071.004t1076t1078t1082t1083t1084t1087t1091t1105t1110t1112t1113t1119t1129t1130t1133t1156t1185t1187t1189t1190t1192t1193t1199t1203t1204t1204.001t1204.002t1205t1210t1211t1212t1480t1480 executiont1485t1486t1490t1491t1495t1496t1497t1499.002t1499.003t1505t1529t1530t1539t1543t1546t1552t1553t1553.003t1555t1556t1557t1562t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1569t1571t1573t1574t1578t1580t1583t1584t1585t1586t1587t1587.001t1587.003t1588t1589t1589.001t1590t1590.001t1591t1592t1593t1594t1595t1596t1596.001t1596.004t1597t1598t1599t1600t1601t1602t1602.001t1602.002t1606t1608t1609t1610t1611t1612t1613t1614t1615t1619t1620t1621t1622t1647t1648t1649t1650t1651t1652t1653t1654t1656t1657t1659t1665t1666targeted spyware campaigntargeted-attackstelecom servicestelecommunicationstexasthreat actortitle objecttlsv1toolstor analysistor nodetrojan malwaretrojandroppertrojanspytype datatypeofua archua bitnessua fullua platformunitedunknown nsunknown soaurlsurls showuser executionusersutf8 textverdictverifyversion secvietnamvirtoolvulnerability scanweb application attackweb application exploitationweb trafficwin32 malwarewindirwindows malwarewindows ntwine emulatorwritex poweredxhr loadxhr startyara detectionszero click exploitzero-day exploit

Activity Timeline

1 total obs

Apr 7Apr 7

Threat Activity Heatmap

· Peak: 2026-04-07

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Intelligence SummaryAI Generated

The domain **toansub.pro**, originating from the Netherlands, has been identified as a critical indicator of compromise (IOC) associated with multiple cyber threats. First observed on July

Threat ScoreLow Risk

SIGNAL

Signal Score

26%

Confidence

Reports

First seenJul 8, 2025

Last seenApr 7, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

description: Operation Endgame: Mass, permanent surveillance targeting civilians without warrants. Advanced tools infect devices via malicious links (WhatsApp/SMS/email) or PDFs with zero-day exploits. Clicking executes malware: Pegasus (Android/iOS) or **Mirai** (Linux/Windows), enrolling devices into a botnet. Infections are persistent, often replacing device/router firmware, requiring hardware changes. Malicious traffic hides via Google/Cloudflare DNS. Thousands of companies collaborate (Amazon, Google, Microsoft, Facebook, WhatsApp, Apple, etc.), providing servers, domains, and websites to mask attacks. This enables agencies to infect targets even when accessing legitimate services (e.g., logging into Amazon) if the browser is vulnerable. Attacks are targeted, evading firewalls, and expose private data, risking targets' physical safety. The operation involves multiple allied states.
domain rank: -1
raw: Administrative city: REDACTED FOR PRIVACY Administrative country: Redacted For Privacy Administrative state: REDACTED FOR PRIVACY Create date: 2024-12-12 00:00:00 Domain name: toansub.pro Domain registrar id: 49 Domain registrar url: whois.discount-domain.com Expiry date: 2025-12-12 00:00:00 Name server 1: ns1.host160.vietnix.vn Name server 2: ns2.host160.vietnix.vn Query time: 2024-12-15 02:52:48 Registrant address: 1f8f4166599d23ee Registrant city: 1f8f4166599d23ee Registrant company: 2049362be766c012 Registrant country: Vietnam Registrant name: 1f8f4166599d23ee Registrant state: bfb44a2b7400191c Registrant zip: 1f8f4166599d23ee Technical city: REDACTED FOR PRIVACY Technical country: Redacted For Privacy Technical state: REDACTED FOR PRIVACY Update date: 2024-12-13 00:00:00
subdomains count: 0

`toansub.pro`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy