IOC Radar
DomainMediumSignal 93/100

vash-server.com

Location
LatviaLatvia
First Seen
Apr 21, 2026
Last Seen
Apr 28, 2026
Apr 21
First Seen
67d ago
Apr 28
Last Seen
60d ago
8
Reports
source reports
93%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
93%
Signal Score
93 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

14 techniques

Feed Intelligence Summary

8 reports93% confidence
8
Source reports
93%
Confidence score
Category tags
active scanamosapi routesapt campaignsatomic macosc2 infrastructurecommand & controlcybersecurity researchencryptioneuropefeature mapgoodtecindicatorinfostealeriocsjs bundlelatviamalwaremalware analysismanual-collectionmedium-risknetworknevadanorth americaodysseyodyssey panelodyssey stealerphishingproblempythonransomwareresearchedreverse engineeringstealersubnett1003t1005t1055t1056t1059t1090t1106t1195t1218t1539t1547t1555t1556t1567threat actorthreat intelligencetls certificatetor nodeturntype osintunited statesuswaterhydrayara rules

Activity Timeline

1 total obs
Apr 28Apr 28

Threat Activity Heatmap

· Peak: 2026-04-28
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
93
SIGNAL
Signal Score
93%
Confidence
8
Reports
First seenApr 21, 2026
Last seenApr 28, 2026

VirusTotal

Not checked

WHOIS

registrar
Cloudflare, Inc.
description
A recent investigation revealed a sophisticated cyber threat involving the Odyssey macOS stealer panels, particularly highlighting a backdoored version that exfiltrates operator credentials without their knowledge. Security researchers tracked two panels operating on the same Kazakhstan subnet, discovering that one, specifically at the IP address 86.54.25.202, contains a 960-byte credential harvester embedded within its JavaScript bundle. This malicious addition intercepts the operator's login details each time they authenticate, sending the stolen credentials to a receiver at http://scan-tron.link. Meanwhile, the other panel at 86.54.25.204 is uninfected, running a slightly newer software version
domain rank
-1
raw
Creation Date: 2024-02-19T17:19:08Z DNSSEC: unsigned Domain Name: VASH-SERVER.COM Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clienttransferprohibited https://icann.org/epp#clienttransferprohibited Name Server: CRIS.NS.CLOUDFLARE.COM Name Server: JO.NS.CLOUDFLARE.COM Name Server: cris.ns.cloudflare.com Name Server: jo.ns.cloudflare.com Registrant City: acfd0ee3752cd95d Registrant Country: US Registrant Email: 3432650ec337c945s@ Registrant Fax Ext: 3432650ec337c945 Registrant Fax: 3432650ec337c945 Registrant Name: acfd0ee3752cd95d Registrant Organization: 3432650ec337c945 Registrant Phone Ext: 3432650ec337c945 Registrant Phone: e67c90d3f62b3476 Registrant Postal Code: acfd0ee3752cd95d Registrant State/Province: fcb6428795cfdbdc Registrant Street: acfd0ee3752cd95d Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4153197517 Registrar Abuse Contact Phone: +1.6503198930 Registrar IANA ID: 1910 Registrar Registration Expiration Date: 2027-02-19T17:19:08Z Registrar URL: http://www.cloudflare.com Registrar URL: https://www.cloudflare.com Registrar WHOIS Server: whois.cloudflare.com Registrar: Cloudflare, Inc. Registry Domain ID: 2856595669_DOMAIN_COM-VRSN Registry Expiry Date: 2027-02-19T17:19:08Z Updated Date: 2026-02-01T13:44:28Z
subdomains count
11

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 2 months ago
Appeared in 8 threat reports
1 user flagged this