ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 208.76.223.59:80.

Database Entry

This IOC expired

This IOC is an old IOC and hence has expired on 2026-06-06 01:15:26 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.

IOC ID:	1761688
IOC:	208.76.223.59:80
IOC Type :	ip:port
Threat Type :	botnet_cc
Malware:	GlassWorm
Confidence Level :	Confidence level is high (100%)
Is compromised? :	True
ASN:	AS20473 AS-VULTR
Country:	US
First seen:	2026-03-08 18:45:28 UTC
Last seen:	never
UUID:	25c5b338-1b1e-11f1-9af6-42010aa4000a
Reporter	Anonymous
Reward	5 credits from ThreatFox
Tags:	c2 glassworm npm solana supply-chain vscode
Reference:	https://www.koi.ai/blog/glassworm-returns-new-wave-openvsx-malware-expose-attacker-infrastructure

Anonymous

GlassWorm supply chain worm C2 infrastructure. 199.247.10.14:4789 is the primary WebSocket (socket.io) C2 channel. 208.76.223.59:80 is the telemetry/exfiltration endpoint. Associated domain: kalitelimama.com (A record since May 2018). Hosting: Vultr (AS20473). 35,800+ confirmed victims per Koi Security. Malware propagates via trojanized VS Code extensions and npm packages, exfiltrates GitHub tokens, SSH keys, browser credentials. DHT target hash: 858d53e806734c539b50f15ca72580437ce47ba9. Solana C2 wallet: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC.