ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain app.kefel.tech.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2026-05-12 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 1559846 |
|---|---|
| IOC: | app.kefel.tech |
| IOC Type : | domain |
| Threat Type : | botnet_cc |
| Malware: | SPICA |
| Confidence Level : | Confidence level is moderate (50%) |
| Is compromised? : | False |
| ASN: | AS49505 SELECTEL |
| Country: |  RU |
| First seen: | 2025-07-24 06:28:42 UTC |
| Last seen: | never |
| UUID: | aebd54af-67e6-11f0-851c-42010aa4000a |
| Reporter |  akaCipher |
| Reward | 5 credits from ThreatFox |
| Tags: | apk APT c2 CryptoScam exe FakeCryptoDashboard Fast-Flux NodeJS PQ-Hosting RussianAPT SSLReuse |
| Reference: | https://medium.com/@knownascipher/kefel-io-friends-coldriver-c-c-infrastructure-report-84aa041b141a |
akaCipher
TLP: CLEARIndicator:
kefel.tech
Threat Type:
Command and Control (C2)
Malware/Threat Name:
COLDRIVER (aka Spica)
Threat Actor:
COLDRIVER (APT29-affiliated, Russia)
Confidence:
Medium
First Seen:
2024-12-05 (cert reuse and passive DNS activity), active through 2025-07
Last Seen:
Ongoing
Tags:
APT, C2, CryptoScam, Fast-Flux, PQ-Hosting, RussianAPT, NodeJS, SSLReuse, APK, EXE, FakeCryptoDashboard
Description:
The domain kefel.tech is part of a likely COLDRIVER (“Spica”) infrastructure set. It uses fast-flux subdomains (s1–s6.kefel.tech) mimicking crypto dashboards and delivers APK/EXE payloads. SSL certificates reused across kefel.io and kefel.tech match previously identified Spica C2 (SHA256: f84bc7b16e3c9e9c47677...).
The domain resolves to PQ-Hosting (AS44477), an ASN previously linked to known Spica IP 45.133.216.15. HTTP headers on port 8003/8005 reveal a Node.js “Antares Trading System” — a financial scam previously flagged by Belgian FSMA.
Passive DNS records show resolution to:
185.234.247.20 (flagged by CRDF)
185.234.247.22, 185.234.247.25, etc.
77.223.99.224 (as of 2025-07-18)
IOC Table:
Type IOC Notes
domain kefel.tech Main domain
domain kefel.io Shared infra
domain s1.kefel.tech Fake dashboard
domain s2.kefel.tech Fake dashboard
domain s3.kefel.tech Fake dashboard
domain s4.kefel.tech Fake dashboard
domain app.kefel.tech Binary delivery
ip 185.234.247.20 CRDF Malicious
ip 185.234.247.22 Passive DNS
ip 77.223.99.224 Latest resolve
ssl_fingerprint 428d09ca103d2593e3555304a2862f873c70ca7d Reused across Spica infra
header Antares Trading System Node.js C2 mimicry
Reference:
https://medium.com/@knownascipher/kefel-io-friends-coldriver-c-c-infrastructure-report-84aa041b141a
Reporter:
@knownAsCipher / Runavald (independent CTI researcher)