IOC Radar
DomainMediumSignal 75/100

updatefilescf.top

First Seen
May 18, 2026
Last Seen
Jun 4, 2026
May 18
First Seen
24d ago
Jun 4
Last Seen
8d ago
8
Reports
source reports
75%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
75%
Signal Score
75 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

19 techniques

Feed Intelligence Summary

8 reports75% confidence
8
Source reports
75%
Confidence score
Category tags
cloakingeducationfakecaptchafinance and insuranceghost cmsindicatorinformation stealerinfostealerinjection activitymass compromisemedianetworkransomwareresearchedscams & fraudsql injectiont1027t1055t1059.001t1059.003t1059.007t1071.001t1102t1105t1132.001t1140t1190t1204t1212t1218.011t1547.001t1566t1573t1583.001t1583.006targeting databasethreat actor

Activity Timeline

1 total obs
Jun 4Jun 4

Threat Activity Heatmap

· Peak: 2026-06-04
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

The domain **updatefilescf.top** has emerged as a significant indicator of compromise (IOC) associated with malware and ransomware activities. First observed on May

Threat ScoreHigh Risk
75
SIGNAL
Signal Score
75%
Confidence
8
Reports
First seenMay 18, 2026
Last seenJun 4, 2026

VirusTotal

Not checked

WHOIS

registrar
NICENIC INTERNATIONAL GROUP CO., LIMITED
description
Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.
domain rank
-1
raw
Creation Date: 2026-05-15T16:00:00Z Creation Date: 2026-05-15T17:27:26Z DNSSEC: unsigned Domain Name: updatefilescf.top Domain Status: addPeriod https://icann.org/epp#addPeriod Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS3.MY-NDNS.COM Name Server: NS4.MY-NDNS.COM Name Server: ns3.my-ndns.com Name Server: ns4.my-ndns.com Registrant City: 3432650ec337c945 Registrant Country: Registrant Country: US Registrant Email: 3432650ec337c945s@ Registrant Email: 6eb609d996e182a6s@ Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: 3432650ec337c945 Registrant Organization: 3432650ec337c945 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: 3432650ec337c945 Registrant Postal Code: 3432650ec337c945 Registrant State/Province: 0a65c0763b460f05 Registrant State/Province: 3432650ec337c945 Registrant Street: 3432650ec337c945 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +852.85268581006 Registrar IANA ID: 3765 Registrar Registration Expiration Date: 2027-05-15T16:00:00Z Registrar URL: https://nicenic.com Registrar URL: https://nicenic.com/ Registrar WHOIS Server: whois.nicenic.com Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED Registry Admin ID: REDACTED FOR PRIVACY Registry Domain ID: D202605162088436-COM Registry Domain ID: D20260516G10001G_75443346-top Registry Expiry Date: 2027-05-15T17:27:26Z Registry Registrant ID: REDACTED FOR PRIVACY Registry Tech ID: REDACTED FOR PRIVACY Updated Date: 2026-05-15T16:00:00Z Updated Date: 2026-05-15T17:27:26Z
references
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 24 days ago · Last seen 8 days ago
Appeared in 8 threat reports