ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain brixhub.net.
Database Entry
| IOC ID: | 1822088 |
|---|---|
| IOC: | brixhub.net |
| IOC Type : | domain |
| Threat Type : | botnet_cc |
| Malware: | Unknown malware |
| Confidence Level : | Confidence level is moderate (50%) |
| Is compromised? : | False |
| ASN: | AS13335 CLOUDFLARENET |
| Country: |  US |
| First seen: | 2026-06-04 05:16:42 UTC |
| Last seen: | never |
| UUID: | fde71cf2-5fac-11f1-a345-42010aa4000a |
| Reporter |  lmao1010 |
| Reward | 5 credits from ThreatFox |
lmao1010
Suspected operator/management domain of a subscription-based SSH/Telnetproxy service operating as a botnet, linked to the control domain
ssh.spider-net.cc.
Observed infrastructure (external nmap scan, 2026-06-04) on an associated
host:
- Multiple distinct fake SSH daemons on consecutive ports 10004/10005/
10011/10013/10014 (Golang x/crypto/ssh, modified dropbear "Linksys
WRT45G", libssh).
- Credential-harvesting fake login service on port 10016 (Username/
Password prompt returning "User not found").
- Recurring banner "RENEW YOUR SUBSCRIPTION / 0 DAYS LEFT UNTIL
EXPIRATION" on ports 1212 and 10000-10007, indicating a paid
subscription model.
- Additional unidentified services on 44444 and 55555.
Service account naming convention uses a "brx_" prefix (e.g. brx_17881),
matching the "brixhub" brand. Pattern (multiple emulated SSH/Telnet
daemons + credential capture + subscription banners) is consistent with
a proxy network likely built on compromised devices.
Reported in parallel to the hosting/registrar abuse desk and to national
authorities.