ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain devilxclusive.lol.
Database Entry
| IOC ID: | 1796277 |
|---|---|
| IOC: | devilxclusive.lol |
| IOC Type : | domain |
| Threat Type : | botnet_cc |
| Malware: | Unknown malware |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS24940 HETZNER-AS |
| Country: |  DE |
| First seen: | 2026-04-23 05:22:04 UTC |
| Last seen: | never |
| UUID: | 73a82076-3e83-11f1-8759-42010aa4000a |
| Reporter |  Cachuco |
| Reward | 5 credits from ThreatFox |
| Tags: | Android banker Kutxabank NFCGate NGate Spain Unicaja |
| Reference: | https://www.virustotal.com/gui/file/e494ce6af136876cba1adfe3f9d6e151f1dcf9a38059897cfb509e30e12b8c7b/detection |
Cachuco
Family: NGate / NFCGate-derived Android NFC-relay banker (Spain fork, internal designation NGate-ES-2026-04).Library libucjnet.so exports NFCGate JNI symbols verbatim. Victim: Kutxabank customer (ES). Multi-target via C2 branding.
Reference: https://www.virustotal.com/gui/file/e494ce6af136876cba1adfe3f9d6e151f1dcf9a38059897cfb509e30e12b8c7b/detection
<YARA rule link in repo future>.