ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 151.243.109.125:80.

Database Entry

IOC ID:	1777493
IOC:	151.243.109.125:80
IOC Type :	ip:port
Threat Type :	botnet_cc
Malware:	PXA Stealer
Malware alias:	PXAStealer, PXA
Confidence Level :	Confidence level is high (90%)
Is compromised? :	False
ASN:	AS209274 Kraken-Network-ISP
Country:	RS
First seen:	2026-03-28 06:45:01 UTC
Last seen:	2026-03-27 21:37:25 UTC
UUID:	0c28f829-2a0d-11f1-9af6-42010aa4000a
Reporter	Lenny_3BO
Reward	5 credits from ThreatFox
Tags:	pxa_stealer snowlotus StoryShort telegram_dead_drop
Reference:	https://www.virustotal.com/gui/file/5d7c98d3eb2afba8d0e5c91949711b10524e42d2d28ba205dec93d0e875d4396

Lenny_3BO

PXA Stealer C2, decoded from Telegram dead drop bot Verymuchxbot via base64+XOR key SnowLotus. Endpoint: /recover_service/resolve?id=. PHP 8.1.25 on Apache, Kraken Network ISP NL. Part of StoryShort AI lure campaign (storyshort-app.com, 14 domains over 11 months on 144.172.86.129).