DomainMediumSignal 60/100
varegjopeaks.com
Location
United StatesFirst Seen
Oct 18, 2025
Last Seen
Jun 22, 2026
Found in 13 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
60%
Signal Score
60 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
13 reports60% confidence
13
Source reports
60%
Confidence score
Category tags
active scanactive scanningakiraandroidapt24archive attachmentastaroth msiattackauthentication attacksautoitautoit scriptautoit scriptingautumn dragonbancobankerbankingbanking malwarebanking trojanbanksblueskybotnet activityboto cor-de-rosaboto corderosaboto-cor-de-rosabrazilbrute forcebrute force attackbusiness emailc2 addressc2 communicationc2 serverchromecisa kevcommand & controlcommand and controlcommand executioncommercial bankingcommunication protocolcompromise attemptcompromised credentialsconvertcopied linkedincredential accesscredential brute-forcingcredential harvestingcredential stealingcredential stuffingcredential theftcredit card servicescryptocurrencycryptocurrency theftcryptocurrency threatscryptojackingcyber threatsdata exfiltrationdata store exposuredata theftddosdelphidenial of servicedgadododownloaderdroppereternidade stealerexecutable fileexploit avaliableexploitation activityexposing darkfigurefilehash:md5filehash:sha1filehash:sha256filesfinancefinance and insurancefinancial institutionfinancial malwarefinancial servicesfinancial technologyftp brute forceguildmahigh riskhttp brute forceidentity & access exploitationimapin the wildin-memory executionindicatorinformation stealerinformation technologyinformation theftinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityintrusion attemptiocsit infrastructurejavascript injectionjohnlink linklogin brute forcemacosmacos malwaremalicious activitymalicious campaignsmalicious powershell activitymalicious softwaremalwaremalware distributionmobilemobile bankingmobile securitymobile threatmsimsi filemsi installationmsi installernetworknetwork attacksnetwork intrusionnetwork protocolnetwork reconnaissancenetwork scanningnknshellnorth americanova stealeropensoperation dreamjobpassword attackspayload deliverypayment processingphishingphishing attackpingpowershellprocess injectionpythonransomwareratreconnaissanceremote accessremote servicesresearchedresource hijackingscripting attacksselenium automationserviceservice enumerationshadowray 2.0shai-hulud campaignsocial engineeringsoftware developmentsouth americaspearphishingssh attackstagesstay informedstealersystem discoveryt1005t1012t1016t1021t1021.001t1027t1033t1036t1040t1041t1055t1055.001t1055.012t1056.001t1057t1059t1059.001t1059.003t1059.005t1059.007t1064t1068t1071t1071.001t1071.004t1076t1078t1078.001t1078.003t1078.004t1082t1083t1086t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1113t1124t1134.001t1134.002t1140t1189t1190t1195t1195.002t1204t1204.002t1213t1218.007t1486t1496t1499.001t1499.002t1499.003t1543.003t1547.001t1555.003t1555.004t1563t1565t1566t1566.001t1566.002t1566.003t1573t1583t1583.001t1587.001t1588.002t1590.001t1595t1595.001t1595.002t1595.003tcp protocoltcp scanterrathreat actortitulotripstrojantrojan malwaretsundudp scanunauthorized access attemptsunited statesusvbsvbs filevisual basicwater gamayunwater saciwater saci groupwater-saciwealth managementweb travelwebinar cheapwindows malwarewindows managerx facebookzip archivezip file
Activity Timeline
Jun 22Jun 22
Threat Activity Heatmap
LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
60
SIGNAL
Signal Score
60%
Confidence
13
Reports
First seenOct 18, 2025
Last seenJun 22, 2026
VirusTotal
Not checked
WHOIS
- domain rank
- -1
- raw
- Administrative city: DATA REDACTED Administrative country: DATA REDACTED Administrative state: DATA REDACTED Billing city: DATA REDACTED Billing country: DATA REDACTED Billing state: DATA REDACTED Create date: 2025-10-07 00:00:00 Domain name: varegjopeaks.com Domain registrar id: 1910 Expiry date: 2026-10-07 00:00:00 Name server 1: gwen.ns.cloudflare.com Name server 2: tim.ns.cloudflare.com Query time: 2025-10-08 12:28:52 Registrant address: 5d3b46240ec5e776 Registrant city: acfd0ee3752cd95d Registrant company: acfd0ee3752cd95d Registrant country: Brazil Registrant fax: 0ca8254ac50b2c83 Registrant name: acfd0ee3752cd95d Registrant phone: 0ca8254ac50b2c83 Registrant state: c022cb04fd1c6c81 Registrant zip: acfd0ee3752cd95d Technical city: DATA REDACTED Technical country: DATA REDACTED Technical state: DATA REDACTED Update date: 2025-10-07 00:00:00
- references
- https://labs.k7computing.com/index.php/brazilian-campaign-spreading-the-malware-via-whatsapp/, https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil/, https://darfe.es/ciberwiki/index.php?title=WhatsApp-Astaroth, https://www.virustotal.com/graph/embed/g47a529f61470486a9517a3bc9c7da717d7cb58c7070a4ed1813043d17ea3da79?theme=light, Nove Week3 Pt2.csv, Book1.csv, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/, https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/, https://medium.com/@dathannobrega/invas%C3%A3o-por-reenvio-automa%C3%A7%C3%A3o-do-whatsapp-como-vetor-de-distribui%C3%A7%C3%A3o-7818bb61dca8, https://medium.com/@dathannobrega/do-whatsapp-ao-vbs-automa%C3%A7%C3%A3o-exfiltra%C3%A7%C3%A3o-e-c2-por-e-mail-3731d0cc1b02, https://x.com/Merlax_/status/1981916311409029592, https://x.com/1ZRR4H/status/1981405770785628330
- subdomains count
- 0
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 8 months ago · Last seen 4 days ago
Appeared in 13 threat reports