ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 136.0.9.8:443.
Database Entry
| IOC ID: | 1784303 |
|---|---|
| IOC: | 136.0.9.8:443 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | BeaverTail |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS149440 EVOXTSDNBHD-AS-AP |
| Country: |  MY |
| First seen: | 2026-04-11 19:37:18 UTC |
| Last seen: | never |
| UUID: | 038ec34c-35b6-11f1-8759-42010aa4000a |
| Reporter |  Wim |
| Reward | 5 credits from ThreatFox |
| Tags: | BeaverTail DPRK EVOXT Lazarus nmp NodeJS polinrider supplychain |
| Reference: | https://opensourcemalware.com/blog/polinrider-attack |
Wim
Exfiltration C2 servers for DPRK BeaverTail / PolinRider / DEV#POPPERcampaign (Lazarus Group, Contagious Interview sub-campaign).
Both IPs are referenced by Stage 3 JavaScript payload global variables
_t_s (C2 URL) and _t_u (upload URL). Decryption of the Stage 3 payload
was independently verified byte-exact against the OpenSourceMalware
published Stage 3 SHA256:
11e87f7f27b3cf1a51e0b4b3903decd8945b5959eedf3cbc6be1920dab3c8823
Both servers hosted on Evoxt UK (AS149440, London datacenter).
Abuse report filed with hoster on 2026-04-11.
- 136.0.9.8 : referenced by canonical Stage 3 variant (prior-research
documented). Windows Server 2016, ports 443/3389/5985/27017.
VT 11/94, AbuseIPDB 0 at time of analysis.
- 166.88.54.158 : FIRST PUBLIC DISCLOSURE. Referenced by three newer
Stage 3 variants (32af4c53..., 6ab500ef..., 9ce4e50f...) recovered
from decrypted BSC payloads. Not documented in any prior public
research. Windows Server 2022, ports 443/3389/5985.
VT 0/94, AbuseIPDB 0 at time of analysis.
Related prior research:
- https://opensourcemalware.com/blog/polinrider-attack
- https://opensourcemalware.com/blog/neutralinojs-compromise
- Ransom-ISAC LOCKSTAR DEV#POPPER Part 1 + Part 2 (Oct 2025)