| IP |
158.94.210.166 |
ClickFix Trojan - WinRBait |
T1659 - Content Injection, C&C |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:53 |
| HASH |
178.16.52.201 |
ClickFix Trojan - WinRBait |
T1189 - Drive-by Compromise |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:48 |
| DOMAIN |
188.114.96.3 |
ClickFix Trojan - WinRBait |
T1566 - Phishing |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:44 |
| HASH |
178.16.52.202 |
ClickFix Trojan - WinRBait |
T1189 - Drive-by Compromise |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:41 |
| IP |
178.16.53.70 |
ClickFix Trojan - WinRBait |
T1189 - Drive-by Compromise |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:07 |
| IP |
158.94.209.33 |
ClickFix Trojan |
T1189 - Drive-by Compromise |
Corporate Systems and Endpoints |
NA |
This IP address has been observed in delivery malware via fake captcha with "Win + R" prompt. Uses Powershell to download, compisle and execute DotNet payload in memory. Common name: ClickFix / ClearFake, SigINT name: WinRBait |
2026-03-16 16:03 |
| IPV4 ADDRESS |
91.92.241.179 |
Interlock Ransomware |
T1219 - Remote Access tools |
Government and other institutional systems ( Education Sector) |
NA |
IP associated with malicious ScreenConnect domain |
2026-03-13 12:28 |
| DOMAIN |
user.kangaroosim.com |
Interlock Ransomware |
T1219 - Remote Access tools |
Government and other institutional systems ( Education Sector) |
NA |
Malicious ScreenConnect Domain |
2026-03-13 12:28 |
| IPV4 ADDRESS |
64.190.113.235 |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
Interlock RAT C2 IP |
2026-03-13 12:28 |
| IPV4 ADDRESS |
91.98.29.99 |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
Interlock RAT C2 IP |
2026-03-13 12:28 |
| IPV4 ADDRESS |
216.219.95.234 |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
Interlock RAT C2 IP |
2026-03-13 12:28 |
| DOMAIN |
sync-time-win.live |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| IPV4 ADDRESS |
157.250.195.229 |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
Interlock RAT C2 IP |
2026-03-13 12:28 |
| DOMAIN |
dns-teams-windows.live |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
eventsdatamicrosoft.org |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
uncertainty-por-bubble-persian.trycloudflare.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
periodic-priest-games-assessed.trycloudflare.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
settings-datamicrosoft.org |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
settings-win-datamicrosoft.org |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
assets-msnds.org |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
champagne-businesses-hand-theta.trycloudflare.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
microsoft-iplcloud.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
sublime-tragedy-counties-sculpture.trycloudflare.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
cf1-winows-ww.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |
| DOMAIN |
nedy-throwing-knock-whats.trycloudflare.com |
Interlock Ransomware |
T1189 - Drive-by compromise |
Government and other institutional systems ( Education Sector) |
NA |
NodeSnakeRAT C2 Domain |
2026-03-13 12:28 |