ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 213.139.77.171:79.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1783991
IOC: 213.139.77.171:79
IOC Type :ip:port
Threat Type :botnet_cc
Malware: CASTLELOADER
Confidence Level : Confidence level is elevated (75%)
Is compromised? : False
ASN:AS398256 AS-ULTAHOST
Country:- US
First seen:2026-04-11 07:06:18 UTC
Last seen:never
UUID:b29cd98d-3513-11f1-9af6-42010aa4000a
Reporter Lenny_3BO
Reward 5 credits from ThreatFox
Tags:CastleLoader ClickFix finger LOLBin port79

Avatar
Lenny_3BO
Finger protocol C2 on port 79. IPXO/Ultahost AS834, NYC. Shodan banner confirms active finger daemon (2026-04-10). Payload served via .plan file for user URmSigzqtf. Batch script kills explorer.exe, downloads Python embed, executes zlib-compressed loader fetching from tridontoq[.]com. Same finger.exe LOLBin TTP as prior ClickFix campaigns (dapala[.]net, 162[.]243[.]87[.]175:79).