| IP |
support@shokuninusa.com |
NA |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This URL has been found associated with an ongoing phishing campaign, it sends an email with URL link (snhl.life) stating itself as a Docusign verified document link. Upon clicking it loads malicious payloads. |
2026-01-24 16:45 |
| IP |
snhl.life |
NA |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This URL has been found associated with an ongoing phishing campaign stating itself as a Docusign document link. Upon clicking it loads malicious payloads. |
2026-01-24 16:36 |
| IP |
172.86.83.90 |
NA |
TA0011 - Command & Control, T1071 - Application Layer |
AWS Cloud Infrastructure |
NA |
This IP address was found trying to access AWS exposed services and elevate or create its own user access keys and API routes. It hosted at Cloudzy.com servers and location tagged as Singaport (RouterHosting LLC) |
2026-01-19 20:43 |
| IP |
84.32.131.121 |
NA |
TA0011 - Command & Control, T1071 - Application Layer |
AWS Cloud Infrastructure |
NA |
This IP address was found trying to access AWS exposed services and elevate or create its own user access keys and API routes. |
2026-01-19 20:39 |
| DOMAIN |
w-si.link |
NA |
T1566 - Phsihing & Credential Harvesting |
Corporate Systems and Endpoints |
NA |
A threat actor is using this domain to host phishing website and harvest credentials |
2026-01-19 20:20 |
| DOMAIN |
event.raidrasoo.in.net |
NA |
T1566 - Phishing & Credential Harvesting |
Corporate Systems and Endpoints |
NA |
A threat actor is using this domain to host phishing website and harvest credentials |
2026-01-19 20:02 |
| DOMAIN |
ravotiks.com |
NA |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
A threat actor is using this domain to host phishing website and harvest credentials |
2026-01-19 19:55 |
| DOMAIN |
aksoyoto.com.tr |
Phishing |
T1566 - Phishing |
Corporate User Mailboxes |
NA |
A threat actor is using this domain to host phishing website and harvest credentials |
2025-12-24 15:43 |
| IP |
147.124.216.205 |
NA |
T1190 - Exploit Public-Facing Application - Initial Access |
Gladinet CentreStack |
CVE-2025-30406 |
Hackers are actively exploiting a critical cryptographic flaw in Gladinet CentreStack and Triofox that allows unauthenticated remote code execution (RCE) by abusing hardcoded encryption keys used to protect access tickets; attackers can extract these static keys, forge valid tickets, access sensitive files like web.config, steal the ASP.NET machineKey, and then deliver malicious ViewState payloads to execute arbitrary code on vulnerable servers, leading to full system compromise, with real-world attacks already observed, making immediate patching, key rotation, and access restriction essential to mitigate the risk. |
2025-12-14 15:42 |
| IP |
185.245.82.81 |
Oracle Identity Manager RCE flaw |
TA0011 - Command and Control |
Oracle Identity Manager |
CVE-2025-61757 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government organizations to immediately patch a critical flaw in Oracle Identity Manager, tracked as CVE-2025-61757, which is already being exploited—possibly as a zero-day. The vulnerability, a pre-authentication remote code execution (RCE) bug, was identified by Searchlight Cyber researchers Adam Kues and Shubham Shah. It arises from an authentication bypass in Oracle Identity Manager’s REST APIs, where attackers can manipulate a security filter by appending strings such as ?WSDL or ;.wadl to URL paths, causing protected endpoints to be mistakenly treated as publicly accessible. |
2025-11-23 15:59 |
| IP |
89.238.132.76 |
Oracle Identity Manager RCE flaw |
TA0011 - Command and Control |
Oracle Identity Manager |
CVE-2025-61757 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government organizations to immediately patch a critical flaw in Oracle Identity Manager, tracked as CVE-2025-61757, which is already being exploited—possibly as a zero-day.
The vulnerability, a pre-authentication remote code execution (RCE) bug, was identified by Searchlight Cyber researchers Adam Kues and Shubham Shah. It arises from an authentication bypass in Oracle Identity Manager’s REST APIs, where attackers can manipulate a security filter by appending strings such as ?WSDL or ;.wadl to URL paths, causing protected endpoints to be mistakenly treated as publicly accessible. |
2025-11-23 15:48 |
| HASH |
80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb |
NPM Infostealer |
T1059 - Command and Scripting Interpreter, TA0002 - Execution |
Nodejs NPM Server & Package Repository |
NA |
File:data_extracter, Security researchers discovered 10 dangerous, fake software packages on the npm registry that have been actively stealing user login information for over four months, accumulating nearly 10,000 downloads. These packages use an incredibly sophisticated, multi-step malware to avoid detection and harvest credentials from system keyrings and browsers across all major operating systems (Windows, Linux, and macOS). |
2025-11-01 19:31 |
| IP |
195.133.79.43 |
NPM Infostealer |
T1059 - Command and Scripting Interpreter, TA0002 - Execution |
Nodejs NPM Server & Package Repository |
NA |
Security researchers discovered 10 dangerous, fake software packages on the npm registry that have been actively stealing user login information for over four months, accumulating nearly 10,000 downloads. These packages use an incredibly sophisticated, multi-step malware to avoid detection and harvest credentials from system keyrings and browsers across all major operating systems (Windows, Linux, and macOS). |
2025-11-01 19:16 |
| DOMAIN |
jrntuvksdkm.top |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This domain acts as a download link for the Trojan NSEC WinRAR payload which comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong (AliBaba Cloud). The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 19:24 |
| IP |
8.217.123.252 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This IP acts as a command center for the Trojan NSEC which comes as a part of a phishing campaign initiated from the IP hosted in Hong-Kong (AliBaba Cloud). The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:43 |
| IP |
57bb53175ebddf9dfbb1bfe5dc15dfaeed5a317b32b66202f3e5f0dba99266f5 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: NSecDS.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:32 |
| HASH |
7c013cc480892c3000f52cc118523d07a5a2e4319989f29eb256e1e383ec4006 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: fixit.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 17:29 |
| HASH |
ae8d6030d92d4c14754a17507edad2d9de8b38cb8eee3fcf60ccad3c7ad984e2 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
Primary File: NSecRTS.exe, This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 15:42 |
| HASH |
be6663a5e76b6b9490316dcd2149699fa20a529819a4889c67e9dc65864531a2 |
Trojan NSEC - Backdoor |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This Trojan comes as a part of a phishing campaign initiated from an IP hosted in Hong-Kong. The email reads of a legal notice enticing recipients to open a WinRAR attachment which in-turn consists of a MSI installer depicted as a legal document (.docx.msi). The installer loads multiple files inside directory "C:\Program Files (x86)\Common Files\NSEC\" namely NSecRTS.exe, NSecDS.exe, NSec.exe, client.exe & fixit.exe. End users are advised to stay wary of such legal notices and ensure the authenticity of the sender before open such emails. |
2025-10-31 15:39 |
| IP |
74.194.191.52 |
RondoDox & Mirai Botnet |
T1059 - Command and Scripting Interpreter, TA0011 - Command & Control, |
TBK DVR-4104. TBK DVR-4216 - Video Recorder. Four-Faith router models F3x24. Four-Faith router models F3x36 |
CVE-2024-3721 and CVE-2024-12856 |
RondoDox Botnet Exploiting Critical Vulnerabilities -
Over the past month, a new botnet named RondoDox has been exploiting two high-risk vulnerabilities, CVE-2024-3721 and CVE-2024-12856. Both of these flaws are publicly known and are being actively targeted, posing a serious threat to devices and network security. Unlike more common threats like Mirai or Gafgyt, RondoDox is a newer, less-known botnet.
CVE-2024-3721 is a critical vulnerability affecting TBK DVR models, including DVR-4104 and DVR-4216, as of April 12, 2024. The flaw stems from improper handling of the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ path, where the mdb and mdc parameters can be manipulated to inject OS commands. Successful exploitation allows remote attackers to execute arbitrary commands on affected devices. |
2025-10-14 15:21 |
| IP |
94.154.35.154 |
Mirai Botnet |
TA0011 - Command & Control |
TBK DVR Video Recording ARM based devices |
CVE-2024-3721 |
A malicious Mirai botnet sample designed to infect devices that use an ARM7 processor. The name is a combination of the processor type (arm7) and a string used by the malware (urbotnetisass).
Breakdown of the string
arm7: This specifies that the malware executable is compiled to run on the ARM7 CPU architecture. This architecture is used in many older and low-power embedded systems, such as routers, IoT devices, and certain mobile phones.
urbotnetisass: This appears to be a name chosen by the malware authors. It is a variant used in the widely known Mirai botnet. The Mirai botnet is designed to infect internet-connected devices to carry out distributed denial-of-service (DDoS) attacks.
.elf: In some automated analysis reports, the string is followed by .elf. An ELF (Executable and Linkable Format) file is a standard executable format used on Unix-like operating systems, which many embedded systems run.
Malware functionality -
Analysis of the malware sample shows it performs common botnet-related actions:
Downloads itself: It uses commands like curl and wget to download its own executable from a remote server.
Changes file permissions: It uses the chmod 777 command to give itself full read, write, and execute permissions on the infected device.
Spreads to other devices: After taking control, it scans the internet for other vulnerable devices to spread to and increase the size of the botnet. |
2025-10-14 14:49 |
| IP |
94.154.35.154 |
Mirai Botnet |
TA0011 - Command & Control |
TBK DVR Video Recording ARM based devices |
CVE-2024 |
|
2025-10-14 14:45 |
| DOMAIN |
firebase.su |
Shai Hulud - Scavenger Malware |
TA0011 - Command and Control |
CrowdStrike NPM package maintainer |
CVE-2025-54313 |
Scavenger C2 domain, CrowdStrike NPM Vulnerability - Event: NPM Package Supply Chain Attack Date: July 18, 2025 Attack Vector: A maintainer's account was compromised through a credential phishing campaign using a fake NPM login page. Description: Following the account takeover, the adversary modified five NPM packages, embedding a malicious install.js script and a DLL payload (node-gyp.dll). Upon installation of a compromised package, the script executes the DLL, which initiates a two-stage attack: Stage 1: It steals the contents of the user's .npmrc file, exfiltrating sensitive NPM access tokens. Stage 2: It deploys a secondary infostealer payload that targets and exfiltrates browser data like history and cache. Impacted Packages and Versions: eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7 (CVE-2025-54313, CVSS: High) eslint-plugin-prettier: 4.2.2, 4.2.3 synckit: 0.11.9 @pkgr/core: 0.2.8 napi-postinstall: 0.3.1 Resolution: The malicious package versions have been deprecated on the NPM repository, and the maintainer has published updated, secure versions. |
2025-10-09 09:12 |
| IP |
c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 |
Scavenger Malware |
T1189-drive by compromise followed by command and scripting then Interpreter - execution |
Crowdstrike NPM package maintainer |
CVE 2025-54313 |
|
2025-09-21 16:43 |
| HASH |
32d0dbdfef0e5520ba96a2673244267e204b94a49716ea13bf635fa9af6f66bf |
Scavenger Malware |
T1189 - Drive By Compromise - Initial Access, T1059 - Command and Scripting Interpreter - Execution |
CrowdStrike NPM package maintainer |
CVE-2025-54313 |
CrowdStrike NPM Vulnerability -
Event: NPM Package Supply Chain Attack
Date: July 18, 2025
Attack Vector: A maintainer's account was compromised through a credential phishing campaign using a fake NPM login page.
Description:
Following the account takeover, the adversary modified five NPM packages, embedding a malicious install.js script and a DLL payload (node-gyp.dll). Upon installation of a compromised package, the script executes the DLL, which initiates a two-stage attack:
Stage 1: It steals the contents of the user's .npmrc file, exfiltrating sensitive NPM access tokens.
Stage 2: It deploys a secondary infostealer payload that targets and exfiltrates browser data like history and cache.
Impacted Packages and Versions:
eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7 (CVE-2025-54313, CVSS: High)
eslint-plugin-prettier: 4.2.2, 4.2.3
synckit: 0.11.9
@pkgr/core: 0.2.8
napi-postinstall: 0.3.1
Resolution: The malicious package versions have been deprecated on the NPM repository, and the maintainer has published updated, secure versions. |
2025-09-21 14:47 |