ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain meki.google.co.ws.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1780880
IOC: meki.google.co.ws
IOC Type :domain
Threat Type :botnet_cc
Malware: WSO
Malware alias:Webshell by Orb
Confidence Level : Confidence level is high (80%)
Is compromised? : False
ASN:AS47846 SEDO-AS
Country:- DE
First seen:2026-04-04 07:08:58 UTC
Last seen:never
UUID:e4769fc9-2f9b-11f1-9af6-42010aa4000a
Reporter craftknight
Reward 5 credits from ThreatFox
Tags:Beacon campaign-a filesmanager google-impersonation mainhack PHP webshell WordPress
Reference: https://www.rycerz.xyz/posts/wp-compromise-post-attack-analysis/

Avatar
craftknight
MAINHACK webshell (FilesMan variant) beacon domain. Hardcoded as CSS stylesheet load: <link rel=stylesheet href=//meki.google.co.ws/style.css> — fires on every webshell UI render, logging attacker IP/timestamp/referer. Domain impersonates Google (.ws = Western Samoa TLD, not Google). DNS resolves to 91.195.240.94 (AS47846 SEDO GmbH, Frankfurt — parked). Was active when webshell was deployed on compromised WordPress site (March 2026).