ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain steakhomsreciple.com.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1783990
IOC: steakhomsreciple.com
IOC Type :domain
Threat Type :payload_delivery
Malware: CASTLELOADER
Confidence Level : Confidence level is elevated (75%)
Is compromised? : False
ASN:AS398256 AS-ULTAHOST
Country:- US
First seen:2026-04-11 07:06:19 UTC
Last seen:never
UUID:afa4ab12-3513-11f1-9af6-42010aa4000a
Reporter Lenny_3BO
Reward 5 credits from ThreatFox
Tags:CastleLoader ClickFix finger LOLBin

Avatar
Lenny_3BO
ClickFix delivery domain registered 2026-04-09 via Hostinger. Token-gated nginx/1.18.0. Finger.exe LOLBin delivers batch script via finger URmSigzqtf@domain. Chain: batch dropper -> Python embed from python[.]org -> zlib+b64 stage 2 -> fetches from tridontoq[.]com (TF ID 1780802) -> HijackLoader (traffic6.zip) -> CastleLoader (qlogu.exe, 47/76 VT, 2 Elastic YARA matches). Campaign UUID 4ba0af68-0037-5f6e-afd1-64f89fc0f554 shared with postoconel[.]com (TF 1770752) and mirtona[.]com.