mirror of
https://github.com/JGoyd/ShadowShells.git
synced 2026-02-12 13:22:45 +00:00
1.4 KiB
1.4 KiB
| 1 | type | value | first_seen | confidence | notes |
|---|---|---|---|---|---|
| 2 | domain | github.stormbreaker.pro | 2025-12-07 | High | Repeatedly observed as C2 candidate in analyzed telemetry |
| 3 | domain | stormbreaker.pro | 2025-12-07 | High | Variant of primary C2 |
| 4 | domain | kaylees.site | 2025-12-09 | High | Secondary C2 / proxy domain observed |
| 5 | domain | pir.kaylees.site | 2025-12-09 | High | Relay/variant observed |
| 6 | domain | spple.cf | 2025-12-09 | Medium | Typosquat / possible phishing domain |
| 7 | domain | apple.cf | 2025-12-09 | Medium | Typosquat / impersonation risk |
| 8 | domain | pstack.cf | 2025-12-09 | High | DNS queries observed in telemetry |
| 9 | domain | e.zip | 2025-12-09 | High | Download host / payload reference observed |
| 10 | domain | com.apple.pro | 2025-12-09 | Medium | Impersonation-like domain |
| 11 | domain | com.apple.online | 2025-12-09 | Medium | Impersonation-like domain |
| 12 | domain | modes.ga | 2025-12-09 | Medium | Observed in related telemetry |
| 13 | domain | quikit.ru | 2025-12-09 | Medium | Possible typosquat |
| 14 | domain | cs.cf | 2025-12-09 | Medium | Suspicious free-TLD domain |
| 15 | domain | authoriz.gq | 2025-12-09 | Medium | Suspect domain |
| 16 | uuid | A124B30D-1DA8-4A28-9086-C7F485678DCB | 2025-12-09 | High | System-proxy/tunnel UUID observed in telemetry (high-value pivot) |
| 17 | process | sshd | 2025-12-09 | High | SSH daemon referenced in multiple artifacts — investigate SSH-related logs |
| 18 | process | /bin/bash | 2025-12-09 | High | Shell invocation / command execution patterns observed |
| 19 | string | payload 10567617091775419207 | 2025-12-09 | High | Unique payload identifier observed in artifacts |