ThreatFox IOC Database

You are viewing the ThreatFox database entry for url http://79.124.59.142/cl-ncl-finalize.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1806991
IOC: http://79.124.59.142/cl-ncl-finalize
IOC Type :url
Threat Type :payload_delivery
Malware: HijackLoader
Malware alias:DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER
Confidence Level : Confidence level is high (100%)
Is compromised? : True
ASN:AS50360 TAMATIYA-AS
Country:- BG
First seen:2026-05-05 12:59:23 UTC
Last seen:never
UUID:9761edf7-4879-11f1-8759-42010aa4000a
Reporter Anonymous
Reward 5 credits from ThreatFox
Tags:HijackLoader infostealer renengine SectopRAT

Avatar
Anonymous
RenEngine variant of HijackLoader. These URLs host PowerShell reconnaissance and downloader scripts (cl-ncl-following and cl-ncl-finalize). The infection chain utilizes DLL side-loading via a spoofed Ren'Py game engine component to execute these scripts in-memory. This campaign is currently delivering LummaC2 infostealers.