ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 166.88.54.158:443.
Database Entry
| IOC ID: | 1784321 |
|---|---|
| IOC: | 166.88.54.158:443 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | BeaverTail |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS149440 EVOXTSDNBHD-AS-AP |
| Country: |  MY |
| First seen: | 2026-04-11 19:37:22 UTC |
| Last seen: | never |
| UUID: | fa67ffbb-35bf-11f1-8759-42010aa4000a |
| Reporter |  Wim |
| Reward | 5 credits from ThreatFox |
| Tags: | BeaverTail DPKR polinrider |
| Reference: | https://opensourcemalware.com/blog/polinrider-attack |
Wim
Exfiltration C2 server for DPRK BeaverTail / PolinRider / DEV#POPPERcampaign (Lazarus Group, Contagious Interview sub-campaign).
Referenced by three Stage 3 JavaScript payload variants (SHA256:
32af4c538e484bb0c3d2a7e8967728ab3f73e7e605c00281561ecc24d99ef11c,
6ab500ef10c246f595e3ff48a54df276b884ce11088e0a50ac1385ccf8225e1a,
9ce4e50f0cb2b400153a4b32af4a6a8357bd0160fada71dd5f115b66303f220d)
recovered from BSC transaction input fields and XOR-decrypted with
PolinRider KEY1 (2[gWfGj;<:-93Z^C, 16-byte repeating).
The exfil URL is set via global['_t_s'] and upload URL via
global['_t_u'] in Stage 3 JavaScript.
Hosted on Evoxt UK (AS149440, London). Windows Server 2022, ports
443/3389/5985 exposed. Companion server 136.0.9.8 reported separately.
Abuse report filed with hoster on 2026-04-11.
Decryption method independently verified via byte-exact match against
OpenSourceMalware published Stage 3 SHA256
11e87f7f27b3cf1a51e0b4b3903decd8945b5959eedf3cbc6be1920dab3c8823.
Reference: https://opensourcemalware.com/blog/polinrider-attack