Cloudflare IP used as a reverse proxy for malicious domain 'swacloud.com' and 'api.swa-recloud.fun'. ...
show moreCloudflare IP used as a reverse proxy for malicious domain 'swacloud.com' and 'api.swa-recloud.fun'. Acts as a Command and Control (C2) server for an active infostealer targeting credential theft and session hijacking.
show less
Cloudflare IP hosting malicious Infostealer C2 domain 'swacloud.com'. The infrastructure hosts an ac ...
show moreCloudflare IP hosting malicious Infostealer C2 domain 'swacloud.com'. The infrastructure hosts an active dropper that downloads 'latest.exe' and extracts compromised Steam/Discord session tokens from infected machines. Multiple security vendors flagged this infrastructure as malware.
show less
Secondary AWS Anycast routing IP assigned to aieov.com infrastructure. Actively involved in deliveri ...
show moreSecondary AWS Anycast routing IP assigned to aieov.com infrastructure. Actively involved in delivering and beaconing malicious payloads (Trojanized setup files/droppers) such as svchost10.exe (65/71 VT detection) and Bootstrapper.exe. It uses an unverified self-signed SSL configuration to mask traffic routing for phishing and malware distribution operations.
show less
AWS Anycast edge node acting as infrastructure for malware distribution and C2 communication for the ...
show moreAWS Anycast edge node acting as infrastructure for malware distribution and C2 communication for the domain aieov.com. Threat intel indicates historical and active communication with malicious multi-stage droppers, including Win32 SETUP.EXE (66/71 VT detection) and Bootstrapper.exe (60/71 VT detection). The endpoint uses a self-signed SSL certificate (CN=sni-support-required-for-valid-ssl) to proxy traffic for deceptive campaigns.
show less
Active casino-themed spam redirection infrastructure. The endpoint is hosted within Google Cloud Sto ...
show moreActive casino-themed spam redirection infrastructure. The endpoint is hosted within Google Cloud Storage bucket 'salmonnais', utilizing parameters to track and redirect victims targeted by spam campaigns.
show less
Active financial-themed phishing infrastructure detected. The IP is serving a live scam landing page ...
show moreActive financial-themed phishing infrastructure detected. The IP is serving a live scam landing page hosted inside Google Cloud Storage bucket 'sd6514s6589dsd', distributed via automated spam campaigns designed to harvest user data.
show less
Active phishing infrastructure detected hosting a live Okta-impersonating credential harvesting page ...
show moreActive phishing infrastructure detected hosting a live Okta-impersonating credential harvesting page inside Google Cloud Storage bucket 'iytoiytrxx'. Attackers use complex subdomain spoofing to bypass initial email gateway filters.
show less
Phishing campaign detected utilizing random-generated spam domains (dqzxsbirskzdyhhyguovxtrx.com) to ...
show morePhishing campaign detected utilizing random-generated spam domains (dqzxsbirskzdyhhyguovxtrx.com) to bypass filters and hosting deceptive credential harvesting pages on Google Cloud Storage paths. Security engines have flagged this infrastructure for active phishing and spam distribution.
show less
The IP 129.226.129.181 is actively hosting or acting as an authorized mail server for the malicious ...
show moreThe IP 129.226.129.181 is actively hosting or acting as an authorized mail server for the malicious domain 'lzbexu.com', which is currently being used to distribute phishing and spam emails (e.g., origin address: [email protected]).
The domain's SPF record ("v=spf1 a mx ~all") explicitly authorizes this IP infrastructure to send these unauthorized and deceptive emails. Multiple security engines, including alphaMountain.ai and VirusTotal, have already flagged this domain and its associated IPs as highly suspicious and malicious.
Please flag this IP to prevent further phishing campaigns and protect the community.
show less