ThreatFox IOC Database

You are browsing the Indicator Of Compromise (IOC) database of ThreatFox. If you would like to contribute IOCs to the corpuse, you can do so through either the web form or the API.


413

IOCs shared (past 24 hours)

ClearFake

Most seen malware family (past 24 hours)

1'689'368

IOCs in corpus


Using the form below, you can search for malware samples by a hash (MD5, SHA256, SHA1), imphash, tlsh hash, ClamAV signature, tag or malware family.

Browse Database

Search syntax is as follow: keyword:search_term

Following is a list of accepted keywords along with an example search_term

  • ioc:ms-debug-services.com ( run)
  • malware:CobaltStrike ( run)
  • tag:TA505 ( run)
  • threat_type:cc_skimming ( run)
  • uuid:87f310f3-540b-11eb-922c-42010aa4000a ( run)

Date (UTC)IOCMalwareTagsReporter
2025-11-29 09:34https://pidorasy-lazarus.com/login KillDisk (Lazarus)c2 Lazarus URLscan juroots
2025-11-21 10:42http://23.94.126.153:1133/send_file KillDisk (Lazarus)c2 Lazarus juroots
2025-11-21 10:42http://23.94.126.153:1133/check_version KillDisk (Lazarus)c2 Lazarus juroots
2025-11-04 06:47https://inqu-lazarus.icu/login KillDisk (Lazarus)c2 Lazarus URLscan juroots
2025-11-03 15:07146.103.11.211:80 KillDisk (Lazarus)c2 Lazarus shodan juroots
2025-11-03 15:0723.95.162.249:8888 KillDisk (Lazarus)c2 Lazarus shodan juroots
2025-11-03 15:07193.151.108.39:443 KillDisk (Lazarus)c2 Lazarus shodan juroots
2025-10-09 09:38http://31.58.169.29:1133/login KillDisk (Lazarus)c2 Lazarus URLscan juroots
2025-09-24 12:31https://193.151.108.39/login KillDisk (Lazarus)AS207957 Lazarus SERV.HOST GROUP LTD antiphishorg
2025-02-25 10:41omd.tap-fap.net KillDisk (Lazarus)Lazarus lontze7
2022-03-30 00:19a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e HermeticWiper Virus_Deck
2022-03-29 17:27ffea1266b09abbf0ceb59119746d8630 HermeticWiper Virus_Deck
2022-03-16 23:20a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea CaddyWiper Virus_Deck