Indicators Of Compromise (IOCs)

Indicators of Compromise (IOCs)

This table lists regularly updated Indicators of Compromise (IOCs), including malicious file hashes, domains, and IP addresses, to support threat detection and response.

IOCs

Date	Artical	Category	IOCs
January 1, 2026	Mustang Panda Uses Signed Kernel Mode Rootkit to Load TONESHELL Backdoor	Domain	avocadomechanism[.]com
January 1, 2026	Mustang Panda Uses Signed Kernel Mode Rootkit to Load TONESHELL Backdoor	Domain	potherbreference[.]com
January 1, 2026	Trust Wallet Chrome Extension Breach Leads to 7 Million Dollar Crypto Loss via Malicious Code	Domain	api.metrics-trustwallet[.]com
January 1, 2026	Trust Wallet Chrome Extension Breach Leads to 7 Million Dollar Crypto Loss via Malicious Code	Domain	metrics-trustwallet[.]com
January 1, 2026	Trust Wallet Chrome Extension Breach Leads to 7 Million Dollar Crypto Loss via Malicious Code	Domain	trustwallet-support.freshdesk[.]com
January 1, 2026	Trust Wallet Chrome Extension Breach Leads to 7 Million Dollar Crypto Loss via Malicious Code	Domain	trustwallet-support.freshdesk[.]com
January 1, 2026	China Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware	Domain	p2p.hd.sohu.com.cn
January 1, 2026	China Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware	Domain	dictionary.com
December 26, 2025	New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper	Domain	zkcall[.]net
December 26, 2025	SEC Files Charges Over $14 Million Crypto Scam Using Fake AI Themed Investment Tips	Domain	h5.morocoin[.]top
December 26, 2025	SEC Files Charges Over $14 Million Crypto Scam Using Fake AI Themed Investment Tips	Domain	www.bergev[.]org
December 24, 2025	U.S. DoJ Seizes Fraud Domain Linked to 14.6 Million Dollar Bank Account Takeover Scheme	Domain	web3adspanels[.]org
December 19, 2025	WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability	IP	199.247.7[.]82
December 18, 2025	Kimsuky Spreads DocSwap Android Malware Through QR Phishing Posing as Delivery App	IP	27.102.137[.]181
December 16, 2025	New ForumTroll Phishing Attacks Target Russian Scholars via Fake eLibrary Emails	Domain	e-library[.]wiki
December 16, 2025	Malicious NuGet Package Posing as Tracer Fody Steals Cryptocurrency Wallet Data	IP	176.113.82[.]163
December 15, 2025	Unpatched Gogs Zero Day Actively Exploited Across More Than 700 Instances	IP	119.45.176[.]196
December 15, 2025	Active Attacks Abuse Gladinet Hard Coded Keys to Gain Unauthorized Access and Execute Code	IP	147.124.216[.]205
December 15, 2025	React2Shell Exploitation Spreads Crypto Miners and New Malware Across Multiple Sectors	IP	185.247.224[.]41
December 12, 2025	Storm 0249 Amplifies Ransomware Attacks Using ClickFix, Fileless PowerShell, and DLL Sideloading	Domain	sgcipl[.]com
December 8, 2025	MuddyWater Uses UDPGangster Backdoor in Targeted Campaign Across Turkey, Israel, and Azerbaijan	IP	157.20.182[.]75
December 8, 2025	Sneeit WordPress RCE Exploited in the Wild, and ICTBroadcast Bug Powering Frost Botnet Attacks	IP	185.125.50[.]59
December 8, 2025	Sneeit WordPress RCE Exploited in the Wild, and ICTBroadcast Bug Powering Frost Botnet Attacks	IP	182.8.226[.]51
December 8, 2025	Sneeit WordPress RCE Exploited in the Wild, and ICTBroadcast Bug Powering Frost Botnet Attacks	IP	89.187.175[.]80
December 3, 2025	Brazil Faces Banking Trojan Spread Through WhatsApp Worm and RelayNFC Relay Fraud	Domain	manoelimoveiscaioba[.]com
December 3, 2025	Brazil Faces Banking Trojan Spread Through WhatsApp Worm and RelayNFC Relay Fraud	Domain	serverseistemasatu[.]com
December 3, 2025	Brazil Faces Banking Trojan Spread Through WhatsApp Worm and RelayNFC Relay Fraud	Domain	maisseguraca[.]site
December 3, 2025	Brazil Faces Banking Trojan Spread Through WhatsApp Worm and RelayNFC Relay Fraud	Domain	test.ikotech[.]online
December 2, 2025	ShadyPanda Converts Popular Browser Extensions With 4.3 M of Installs Into Spyware	Domain	trovi[.]com
December 2, 2025	ShadyPanda Converts Popular Browser Extensions With 4.3 M of Installs Into Spyware	Domain	api.extensionplay[.]com
November 29, 2025	CISA adds actively exploited XSS flaw CVE-2021-26829 in OpenPLC ScadaBR to KEV list	Domain	i-sh.detectors-testing[.]com
November 29, 2025	Legacy Python bootstrap scripts create domain takeover risk in several PyPI packages	Domain	python-distribute[.]org
November 29, 2025	North Korean hackers use 197 npm packages to spread updated OtterCookie malware	Domain	tetrismic.vercel[.]app
November 27, 2025	Gainsight adds more affected customers after Salesforce security alert	IP	3.239.45[.]43
November 24, 2025	ShadowPad Malware Exploits a WSUS Vulnerability to Gain Full System Access	IP	149.28.78[.]189
November 22, 2025	CISA Alerts on a Critical Oracle Identity Manager Zero Day Vulnerability That Is Being Actively Exploited	IP	89.238.132[.]76
November 22, 2025	CISA Alerts on a Critical Oracle Identity Manager Zero Day Vulnerability That Is Being Actively Exploited	IP	185.245.82[.]81
November 22, 2025	CISA Alerts on a Critical Oracle Identity Manager Zero Day Vulnerability That Is Being Actively Exploited	IP	138.199.29[.]153
November 20, 2025	Sneaky 2FA Phishing Kit Adds BitB Style Pop ups That Closely Imitate the Browser Address Bar	Domain	previewdoc[.]us
November 19, 2025	EdgeStepper Implant Redirects DNS Queries to Deliver Malware Through Compromised Software Updates	Domain	test.dsc.wcsset[.]com
November 11, 2025	Konni Hackers Turn Google Find Hub into Remote Data Wiping Tool	IP	116.202.99[.]218
November 8, 2025	China’s Hackers Repurpose Legacy Flaws, from Log4j to IIS, into Global Espionage Tools	Domain	mimosa.gleeze[.]com
November 8, 2025	Vibe-Coded Malicious VS Code Extension Found Containing Built-In Ransomware Functionality	Domain	bullethost[.]cloud
November 7, 2025	Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine	Domain	esetsmart[.]com
November 7, 2025	Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine	Domain	esetscanner[.]com
November 7, 2025	Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine	Domain	esetremover[.]com
November 7, 2025	Mysterious ‘SmudgedSerpent’ Hackers Target U.S. Policy Experts Amid Rising Iran–Israel Tensions	Domain	thebesthomehealth[.]com
November 4, 2025	SleepyDuck VSX Extension Uses Ethereum to Sustain Its Command Server	Domain	sleepyduck[.]xyz
November 3, 2025	HttpTroy Backdoor Poses as VPN Invoice to Infiltrate South Korean Targets	Domain	load.auraria[.]org
November 3, 2025	HttpTroy Backdoor Poses as VPN Invoice to Infiltrate South Korean Targets	Domain	tronracing[.]com
October 30, 2025	PhantomRaven Malware Hidden in 126 npm Packages Stealing GitHub Tokens from Developers	Domain	packages.storeartifact[.]com
October 29, 2025	10 Malicious npm Packages Steal Developer Credentials Across Windows, macOS, and Linux	IP	195.133.79[.]43
October 28, 2025	SideWinder APT Uses ClickOnce Based Attack Chain to Target South Asian Diplomats	Domain	mod.gov.bd.pk-mail[.]org
October 28, 2025	SideWinder APT Uses ClickOnce Based Attack Chain to Target South Asian Diplomats	Domain	mofa-gov-bd.filenest[.]live
October 25, 2025	APT36 Targets Indian Government Using Golang-Based DeskRAT Malware	Domain	modgovindia[.]com
October 25, 2025	APT36 Targets Indian Government Using Golang-Based DeskRAT Malware	Domain	modgovindia[.]space
October 24, 2025	Self-Spreading GlassWorm Infects VS Code Extensions, Triggers Widespread Supply-Chain Attack	IP	217.69.3[.]218
October 24, 2025	Self-Spreading GlassWorm Infects VS Code Extensions, Triggers Widespread Supply-Chain Attack	IP	199.247.10[.]166
October 24, 2025	Self-Spreading GlassWorm Infects VS Code Extensions, Triggers Widespread Supply-Chain Attack	IP	140.82.52[.]31:80
October 24, 2025	Hackers Exploit New Adobe Commerce Flaw to Breach Over 250 Magento Stores Overnight	IP	34.227.25[.]4
October 24, 2025	Hackers Exploit New Adobe Commerce Flaw to Breach Over 250 Magento Stores Overnight	IP	44.212.43[.]34
October 24, 2025	Hackers Exploit New Adobe Commerce Flaw to Breach Over 250 Magento Stores Overnight	IP	54.205.171[.]35
October 24, 2025	Hackers Exploit New Adobe Commerce Flaw to Breach Over 250 Magento Stores Overnight	IP	155.117.84[.]134
October 24, 2025	Hackers Exploit New Adobe Commerce Flaw to Breach Over 250 Magento Stores Overnight	IP	159.89.12[.]166
October 24, 2025	Homoglyph Attack in Fake Nethereum NuGet Package Steals Crypto Wallet Keys	Domain	solananetworkinstance[.]info
October 23, 2025	Ukraine Aid Organizations Targeted via Fake Zoom Meetings and Malicious PDF Files	Domain	bsnowcommunications[.]com
October 23, 2025	Iran-Linked MuddyWater Targets Over 100 Organizations in Global Espionage Campaign	IP	159.198.36[.]115
October 22, 2025	Cavalry Werewolf APT Targets Multiple Industries Using FoalShell and StallionRAT Malware	IP	188.127.225[.]191
October 22, 2025	Cavalry Werewolf APT Targets Multiple Industries Using FoalShell and StallionRAT Malware	IP	109.172.85[.]63
October 22, 2025	Cavalry Werewolf APT Targets Multiple Industries Using FoalShell and StallionRAT Malware	IP	62.113.114[.]209
October 22, 2025	Hackers Exploit Citrix Flaw and Deploy Snappybee Malware to Breach European Telecom Network	Domain	aar.gandhibludtric[.]com
October 19, 2025	New .NET CAPI Backdoor Targets Russian Automotive and E-Commerce Firms via Phishing ZIPs	IP	91.223.75[.]96
October 19, 2025	New .NET CAPI Backdoor Targets Russian Automotive and E-Commerce Firms via Phishing ZIPs	Domain	carprlce[.]ru
October 17, 2025	Microsoft Revokes 200 Fake Certificates Abused in Rhysida Ransomware Attacks	Domain	teams-download[.]buzz
October 17, 2025	Microsoft Revokes 200 Fake Certificates Abused in Rhysida Ransomware Attacks	Domain	teams-install[.]run
October 17, 2025	Microsoft Revokes 200 Fake Certificates Abused in Rhysida Ransomware Attacks	Domain	teams-download[.]top
October 15, 2025	100+ VS Code Extensions Found Exposing Developers to Hidden Supply Chain Threats	Domain	ab498.pythonanywhere[.]com
October 15, 2025	Attackers Exploit ICTBroadcast Cookie Flaw to Obtain Remote Shell Access	IP	143.47.53[.]106
October 15, 2025	Attackers Exploit ICTBroadcast Cookie Flaw to Obtain Remote Shell Access	Domain	localto[.]net
October 15, 2025	Chinese Hackers Employ Geo Mapping Tool to Maintain Year Long Persistence	IP	172.86.117[.]230
October 15, 2025	Chinese Hackers Employ Geo Mapping Tool to Maintain Year Long Persistence	File hash of bridge.exe	4f9d9a6cba88832fcb7cfb845472b63ff15cb9b417f4f02cb8086552c19ceffc
October 15, 2025	Chinese Hackers Employ Geo Mapping Tool to Maintain Year Long Persistence	File hash of hamcore.se2	84959fe39d655a9426b58b4d8c5ec1e038af932461ca85916d7adeed299de1b3
October 15, 2025	Researchers Reveal TA585’s MonsterV2 Malware Capabilities, Full Attack Chain	Domain	intlspring[.]com
October 15, 2025	Researchers Reveal TA585’s MonsterV2 Malware Capabilities, Full Attack Chain	Domain	api.ipify[.]org
October 11, 2025	Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Divert Employee Salaries	Domain	hunt[.]io
October 10, 2025	From HealthKick to GOVERSHELL: Tracking the Evolution of UTA0388 Espionage Malware	Domain	onedrive[.]live[.]com
October 10, 2025	Critical Flaw in WordPress Service Finder Theme Allows Authentication Bypass by Attackers	IP	192.121.16.196
October 10, 2025	Critical Flaw in WordPress Service Finder Theme Allows Authentication Bypass by Attackers	IP	194.68.32.71
October 10, 2025	Critical Flaw in WordPress Service Finder Theme Allows Authentication Bypass by Attackers	IP	178.125.204.198
October 10, 2025	AI Emerges as Russia’s Latest Cyber Weapon in Its War on Ukraine	Domain	onedrive[.]live[.]com
October 10, 2025	AI Emerges as Russia’s Latest Cyber Weapon in Its War on Ukraine	Domain	ipfs[.]io
October 9, 2025	Hackers Compromise WordPress Sites to Fuel Next-Generation ClickFix Phishing Campaigns	Domain	brazilc[.]com
October 9, 2025	Hackers Compromise WordPress Sites to Fuel Next-Generation ClickFix Phishing Campaigns	Domain	porsasystem[.]com
October 7, 2025	BatShadow Group Deploys Go-Based ‘Vampire Bot’ Malware Targeting Job Seekers	IP	103.124.95[.]161
October 7, 2025	BatShadow Group Deploys Go-Based ‘Vampire Bot’ Malware Targeting Job Seekers	Domain	api3.samsungcareers[.]work
October 7, 2025	BatShadow Group Deploys Go-Based ‘Vampire Bot’ Malware Targeting Job Seekers	Domain	samsung-work[.]com
October 7, 2025	BatShadow Group Deploys Go-Based ‘Vampire Bot’ Malware Targeting Job Seekers	Domain	samsungcareers[.]work
October 7, 2025	XWorm 6.0 Resurfaces with Over 35 Plugins, Upgraded Data Theft Features	IP	94.159.113[.]64
October 3, 2025	Detour Dog Exposed for Operating DNS-Based Malware Factory Linked to Strela Stealer	Domain	webdmonitor[.]io
October 3, 2025	Detour Dog Exposed for Operating DNS-Based Malware Factory Linked to Strela Stealer	Domain	aeroarrows[.]io
October 3, 2025	Researchers Alert on SORVEPOTEL, a Self-Spreading Malware Targeting WhatsApp Users	Domain	sorvetenopoate[.]com
October 2, 2025	Android Spyware Masquerades as Signal Encryption Plugin and ToTok Pro, Users at Risk	Domain	signal[.]org
October 2, 2025	Hackers Exploit Milesight Routers to Send Phishing SMS to Users in Europe	Domain	jnsi[.]xyz
September 28, 2025	New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks	Domain	captchanom[.]top
September 28, 2025	New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks	Domain	southprovesolutions[.]com
September 28, 2025	Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network	Domain	omnatuor[.]com
September 28, 2025	Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network	Domain	propeller-tracking[.]com
September 27, 2025	Fortra GoAnywhere CVSS 10 Vulnerability Exploited as Zero-Day Before Disclosure	IP	155.2.190[.]197
September 27, 2025	Malicious Rust Crates Steal Solana and Ethereum Wallet Keys with 8,424 Downloads Confirmed	Domain	mainnet.solana-rpc-pool.workers[.]dev
September 27, 2025	Malicious Rust Crates Steal Solana and Ethereum Wallet Keys with 8,424 Downloads Confirmed	Domain	api.mainnet-beta.solana[.]com
September 19, 2025	SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers	IP	104.250.164[.]214
September 19, 2025	SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers	Domain	VN5Socks[.]com
September 19, 2025	17,500 Phishing Domains Target 316 Brands Across 74 Countries Amid Global PhaaS Surge	Domain	eset.ydns[.]eu
September 19, 2025	17,500 Phishing Domains Target 316 Brands Across 74 Countries Amid Global PhaaS Surge	IP	91.231.182[.]187
September 19, 2025	Russian Hackers Gamaredon And Turla Join Forces To Deploy Kazuar Backdoor In Ukraine	Domain	telegraph[.]com (C2 mentioned via Telegraph API)
September 19, 2025	Russian Hackers Gamaredon And Turla Join Forces To Deploy Kazuar Backdoor In Ukraine	Domain	eset.ydns[.]eu
September 19, 2025	Russian Hackers Gamaredon And Turla Join Forces To Deploy Kazuar Backdoor In Ukraine	IP	91.231.182[.]187
September 19, 2025	Russian Hackers Gamaredon And Turla Join Forces To Deploy Kazuar Backdoor In Ukraine	IP	91.231.182[.]187
September 19, 2025	SilentSync RAT distributed through two malicious PyPI packages targeting Python developers	Domain	pastebin[.]com
September 19, 2025	SilentSync RAT distributed through two malicious PyPI packages targeting Python developers	Domain	pypi[.]org
September 19, 2025	SilentSync RAT distributed through two malicious PyPI packages targeting Python developers	IP	200.58.107[.]25
September 18, 2025	Chinese TA415 leverages VS Code remote tunnels to spy on U.S. economic policy experts	Domain	zohomail[.]com
September 18, 2025	Chinese TA415 leverages VS Code remote tunnels to spy on U.S. economic policy experts	Domain	requestrepo[.]com
September 18, 2025	Chinese TA415 leverages VS Code remote tunnels to spy on U.S. economic policy experts	Domain	pastebin[.]com
September 18, 2025	SlopAds fraud ring exploits 224 Android apps to push 2.3 billion ad bids every day	Domain	ad2[.]cc
September 18, 2025	New FileFix variant spreads StealC malware via multilingual phishing site	Domain	wl.google-587262[.]com
September 18, 2025	Over 180 npm packages targeted by self-replicating worm to steal credentials in recent supply chain attack	Domain	webhook[.]site
September 18, 2025	Over 180 npm packages targeted by self-replicating worm to steal credentials in recent supply chain attack	Domain	rustfoundation[.]dev
September 18, 2025	Over 180 npm packages targeted by self-replicating worm to steal credentials in recent supply chain attack	Domain	github.rustfoundation[.]dev
September 18, 2025	AI-powered Villager penetration testing tool surpasses 11,000 PyPI downloads amid abuse concerns	Domain	cyberspike[.]top
September 18, 2025	CISA warns of active exploitation of critical CVE-2025-5086 in DELMIA Apriso	IP	156.244.33[.]162
September 9, 2025	GPUGate Malware Leverages Google Ads and Fake GitHub Commits to Target IT Companies	Domain	gitpage[.]app
September 4, 2025	Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Networks	IP address	85.203.4[.]232
September 4, 2025	Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Networks	Domains	http[:]//attacker.com/shell[.]sh
September 4, 2025	MystRodX Exploits DNS and ICMP Channels to Steal Data From Compromised Systems	IP address	139.84.156.79
September 4, 2025	Phishing Campaign Hid for 3 Years on Google Cloud and Cloudflare Services	Domain	IOCs
September 3, 2025	Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack	IP Address	104.194.9[.]127
September 3, 2025	Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack	Domain	iranistrash[.]libre
September 3, 2025	Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack	Domain	pool.rentcheapcars[.]sbs
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	185.156.72[.]0/24
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	45.143.201[.]0/24
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	185.193.89[.]0/24
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	88.210.63[.]0/24
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	92.63.197[.]0/24
September 2, 2025	Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices	IP Address	185.156.73[.]0/24
August 29, 2025	Sogou Zhuyin Update Server Hijacked in Taiwan Espionage Campaign	Domain	sogouzhuyin[.]com
August 29, 2025	Sogou Zhuyin Update Server Hijacked in Taiwan Espionage Campaign	Domain	dl[.]sogouzhuyin[.]com
August 29, 2025	Sogou Zhuyin Update Server Hijacked in Taiwan Espionage Campaign	Domain	srv-pc.sogouzhuyin[.]com
August 29, 2025	Amazon Disrupts APT29 Watering Hole Using Microsoft Authentication	Domain	cloudflare.redirectpartners[.]com
August 29, 2025	Amazon Disrupts APT29 Watering Hole Using Microsoft Authentication	Domain	findcloudflare[.]com