DomainMediumSignal 76/100
zhca.mlcrosoft.cyou
Location
ChinaFirst Seen
Jun 8, 2025
Last Seen
May 17, 2026
Found in 6 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
76%
Signal Score
76 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
6 reports76% confidence
6
Source reports
76%
Confidence score
Category tags
aaaaacceptaccount discoveryaccount hijackingaccount profilingaccount securityaccount takeoveractive relatedactive scanactive scanningadded activeaddress rangeadvanced searchagentahmannalertsalfreyall ipv4allocation typeamazon s3ameramerica asnamerica flaganalysis dateapnicapnic whoisapplying aiascii textasiaasnoneassociated urlsatrosav detectionsazure rsabackdoorbad actorbad gatewaybad reputationbad requestbc.win.packer.troll-11binary filebodybody doctypebotnetbotnet activitybrandbrian sabeybrowse tobrute forcebusiness impersonationc2capturecheckschinachina unknownchromecidrcivil servicesck idck idsck matrixck techniquesclassclick-based attackclockcloud infrastructurecnmicrosoft ecccode executioncode injectioncoinminercommandcommand & controlcommand and controlcommand decodecommand executioncommunication protocolcommunication technologiescomodo cacompromised sitecompromised_site_redirector_fromcharcodecomspeccontent lengthcontent typecontrol ta0011cookiecopy md5copy sha1copy sha256corecorporate lawcountrycre pulcreation datecredential accesscredential harvestingcredential stuffingcredential theftcrlf linecrypt3.bojecryptocurrencycryptocurrency miningcus subjectcyber crimedanabotdarkcometdata accessdata breach attemptdata copyingdata encryptiondata exfiltrationdata store exposuredata transferdata udata uploadddosddos attacksdefense evasiondeletedelete deletedelphidepartment of defensedevelopment attdga domainsdigitaldirectdisinformation campaigndistributed attacksdiv divdiv tddll windowsdns attackdockdock zonedoddod networkdoesdomainabusedomains topdotnetdrive by downloaddrop ordynamicloaderempencryptencryptionengine dllenigmaenricenterenter scentity dnicentriesentries httpentries peerroret infoet openet policyet trojanetl trojaneulaeuropeeurope/asiaevasionexcluded icexecutable fileexpirationexpiration dateexploitexploitation activityextortionextrafailedfake softwarefihafilesfiles domainfiles locationfiles relatedfinancefind sugifirst pqcfirst seenflagflag unitedfoundfound contentfraudg3nasomgamarueganelpget httpghostgooglegoogle gmailgoogle safegov porngovernment technologyhandlehead titlehgnvastlaizhighhigh defensehoney nethong konghostinghostname addhostname enumerationhours agohow searchhrefhtmlhtml documenthttp attackhttp scannerhttps httphuoronghybridhybrid analysisiamrobertidentity & access exploitationids detectionsiframeimages signincludeincluded i0incognito modeindia asnindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure attackingress tool transferinjectioninjection activityinput validation bypassintelintellectual property lawinternet of thingsinvalid urliociocsiot botnetiot securityiot/ics attackipv4ipv4 addipv4 httpsit infrastructureja3sjavascript injectionjeffrey reimerkrypticlateral movementlaw practicelearnlegal consultinglegal researchlegal serviceslegal technologylehashlengthlevellimited stlinkloadinglocallooklookuplow riskmalicious downloadmalicious imagemalicious linksmalicious powershell activitymalicious softwaremalicious urlsmalwaremalware distributionmalware droppermarkmonitor incmarkusmatch infomedia centermedia defensemedical device securitymediummerits fakemetadata analysismichelin lazy kmicrosoft edgeminemirai botnetmitre attmobile carriersmobile networksmobility crmodelmodule loadmovedmsdosmsiemsilmtb win32mullvad browsermuscatname tacticsnanjingnanocore rat infectionnation-state activitync000000 upnetherlandsnetworknetwork intrusionnetwork namenetwork probingnetwork scanningnetwork trafficnetwork_icmpnextnext associatednext peno expirationnone filenone googlenorth americanumberobserved dnsoc0006 httpok serveromicrosoft cusopenopen redirectopen threatoperating systemoperating system securityotx alienvaultpacked executablepacking t1045passive dnspath traversalpattern matchpayloadpe resourcephishingphishing attackpingpleasepng imagepolandpoland asnpoland unknownpolicypornportpostal codepotential data breachpotential-c2present augpresent febpresent julpresent junpresent marpresent novpresent octpresent sepprivacyprivacy adminprivacy techprocess injectionprocess32nextwprocess_martianproratprotocol t1071psychological manipulationpublic administrationpublic infrastructurepublic policypulse pulsespulse submitpulsespulses nonepulses otxpulses urlpwspythonpython wheelquantum roomsquasiqueryramsomransomwareratread creconnaissancerecord valueredacted forrefreshregulatory agenciesregulatory compliancereimer suspectrelated nidsrelated pulsesrelated tagsremote accessremote servicesreportreport spamresearchedresolver domainresources whoisrestartresults febreverse dnsreverse engineeringreview iocrgbarirsrole titlerunning serverrussiasabey typesam somaliascams & fraudscans recordscript domainsscript scriptscript urlsscripting attackssearchsearch helpsearch searchsecuresecurity operationssegoe uiselect fileserver caserver headerserver responseservicesettings searchshowshow processshow techniqueshowingsigned filesimdasizeslcc2social engineeringsocial media securitysoftware developmentsoftware exploitationspamspanspan pspan spanspawnsssl certificatestarfieldstatusstatus okstore gmailstreamstringsstwa lredmondsuck my nipssuspswedensystem disruptiont1005t1021t1021.001t1027t1027.013 encrypted/encodedt1030t1031t1041t1045t1053t1054t1055t1056t1056.003t1057t1059t1059.001t1060t1069t1069.001t1069.002t1071t1071.001t1071.004t1078t1082t1086t1089t1102t1105t1112t1113t1119t1125t1129t1132t1133t1140t1143t1158t1180t1189t1190t1192t1199t1203t1204t1204.001t1204.002t1204.003t1480t1480 executiont1486t1490t1491.001t1496t1497t1499.002t1499.003t1518t1528t1534t1553t1553.002t1562t1562.001t1562.004t1562.008t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.001t1568t1573t1573 severityt1583t1583.001t1587.001t1588t1589t1589.001t1590t1590.001t1591t1595.001t1595.002t1595.003t1598tamtelecom servicestelecommunicationstempletext dragthreatthreat actorthreat intelligencetime stampingtitletitle addedtitle headtls issuingtlsv1tofseetoolstop destinationtop sourcetor browsertor nodetreecetrojan malwaretrojandroppertrue pragmatulachtwittertypetype indicatortype nametype opastetype sizeunfurl sitesunicodeunicode textunique tldsunitedunited statesunix timeunknown nsupdate secureurlsuser agentuser executionuss cusvwusvwuutc amazonutf8 textuuupupuvalid signature. revoked.valuevalue statusvaryverifyvulnerabilityvulnerability scanwannacrywannacry dnsweb applicationweb application attackweb application exploitationweb crawlerweb crawlingweb securityweb trafficwelcomewhois lookupwhois serverwin32 malwarewindowwindows malwarewindows ntwmsspacer.gifwormwritey.a.s.yarayara detectionsyara rulezune
Activity Timeline
May 17May 17
Threat Activity Heatmap
· Peak: 2026-05-17LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated
The domain zhca.mlcrosoft.cyou, originating from China, has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats. First observed on June
Threat ScoreHigh Risk
76
SIGNAL
Signal Score
76%
Confidence
6
Reports
First seenJun 8, 2025
Last seenMay 17, 2026
VirusTotal
Not checked
WHOIS
- raw
- Create date: 2025-03-25 00:00:00 Domain name: mlcrosoft.cyou Domain registrar id: 1923 Domain registrar url: https://www.gname.com/ Expiry date: 2026-03-25 00:00:00 Name server 1: hadlee.ns.cloudflare.com Name server 2: harley.ns.cloudflare.com Query time: 2025-03-26 10:25:56 Registrant country: China Registrant email: 29e2c061f3c9524es@ Registrant state: dcad544bdc6e7722 Update date: 2025-03-25 00:00:00
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 1 month ago
Appeared in 6 threat reports