IOC Radar
DomainMediumSignal 61/100

writeup.live

Location
Korea, Democratic People's Republic ofKorea, Democratic People's Republic of
First Seen
Jul 5, 2025
Last Seen
Jun 15, 2026
Jul 5
First Seen
354d ago
Jun 15
Last Seen
9d ago
12
Reports
source reports
61%
Confidence
medium
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
61%
Signal Score
61 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

59 techniques

Feed Intelligence Summary

12 reports61% confidence
12
Source reports
61%
Confidence score
Category tags
account securityactive scanningagentapple macosaptapt groupapt38backdoordiplomacybankingbase64bitcoinblockchainbluenoroffbluenoroff groupbrute forcec httpsc2casechatgptclayratcommand and controlcommand executioncommodity contracts intermediationcommunication protocolcredential accesscredential harvestingcredential stealingcredential stuffingcredit card servicescrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcrystaldata encryptiondata exfiltrationdecentralized financedefidigital currencydittodowntroy v1dprkdprk aptdprk threat actoreffectencrypted communicationeuropeexodusexodus web3financefinancial crimefinancial motivationfinancial servicesfinancial technologyftpghostcallghostcall campaignghosthireghosthire campaigngillyinjectorgithubgoogie llchttp scannerindicatorinformation technologyinfostealerinitial accessinput validation bypassinstallit infrastructurejsonjson structurekonnikorea, democratic people's republic oflateral movementlaunchagentlazaruslinuxlsassmachomacosmacos malwaremalicious powershell activitymalicious softwaremalwaremalware distributionmalware implantmicrosoft teamsmsteamsupdate.shmultiple threat actorsnetherlandsnetsupport ratnetworknetwork probingnetwork protocolnetwork scanningnetwork securitynimnimdoornimdoor malwarenorth korean aptoperating systemoperating system securitypath traversalpayment processingphishingphishing attackpremiumprocess injectionprotocol exploitationpythonransomwarerat loaderreconnaissanceremote accessremote access trojanremote servicesresearchedresource hijackingrootroyrootroy chainrustscripting attacksself-signedsigintsilentsiphonsnatchcryptosocial engineeringsoftware developmentspearphishingssh attackstorm-2603supply chain attacksupply chain vulnerabilityswiftsysphont1021t1021.001t1021.002t1027t1036.004t1040t1046t1053t1053.005t1055t1055.001t1056.001t1059t1059.001t1059.004t1059.005t1059.006t1069.001t1071t1071.001t1074.001t1076t1077t1078t1086t1105t1110t1110.002t1140t1176t1189t1190t1195t1204t1204.001t1204.002t1218.011t1486t1496t1499.002t1543.001t1547t1547.001t1552.001t1555t1559.001t1563t1565t1566t1566.001t1566.002t1566.003t1573t1573.002t1595t1595.001t1595.002t1595.003t1598ta444targettelnet threatthemidavidar stealerwealth managementweb application exploitationweb trafficwindows malwarex86-64x8664zerozoom

Activity Timeline

1 total obs
Jun 15Jun 15

Threat Activity Heatmap

· Peak: 2026-06-15
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
61
SIGNAL
Signal Score
61%
Confidence
12
Reports
First seenJul 5, 2025
Last seenJun 15, 2026

VirusTotal

Not checked

WHOIS

domain rank
-1
raw
Administrative city: REDACTED FOR PRIVACY Administrative country: REDACTED FOR PRIVACY Administrative state: REDACTED FOR PRIVACY Create date: 2025-01-22 00:00:00 Domain name: writeup.live Domain registrar id: 1068 Domain registrar url: https://www.namecheap.com/ Expiry date: 2026-01-22 00:00:00 Name server 1: pdns2.registrar-servers.com Name server 2: pdns1.registrar-servers.com Query time: 2025-01-23 14:59:22 Registrant city: 1f8f4166599d23ee Registrant company: 4b7a0912c26a13e2 Registrant country: Iceland Registrant email: 29e2c061f3c9524es@ Registrant fax: 1f8f4166599d23ee Registrant name: 1f8f4166599d23ee Registrant phone: 1f8f4166599d23ee Registrant state: 3e0204199d8ebf9c Registrant zip: 1f8f4166599d23ee Technical city: REDACTED FOR PRIVACY Technical country: REDACTED FOR PRIVACY Technical state: REDACTED FOR PRIVACY Update date: 2025-01-22 00:00:00
references
https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware, Julypt1.pdf, https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/, Cyber Threat Advisory - NimDoor DPRK's Nim-Based Malware Campaign Targets Web3 & Crypto.pdf
subdomains count
0

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 11 months ago · Last seen 9 days ago
Appeared in 12 threat reports