ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 165.227.123.79:6504.
Database Entry
| IOC ID: | 1833837 |
|---|---|
| IOC: | 165.227.123.79:6504 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | IClickFix |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | False |
| ASN: | AS14061 DIGITALOCEAN-ASN |
| Country: |  US |
| First seen: | 2026-06-19 05:57:11 UTC |
| Last seen: | never |
| UUID: | c4dea3d5-6b3b-11f1-9258-42010aa4000a |
| Reporter |  init_0 |
| Reward | 5 credits from ThreatFox |
| Tags: | AddType ClickFix Digitalocean FakeCaptcha mtls nginx one-check.lol powershell TLS1.3 |
init_0
Direct-connect C2 reached by an in-memory .NET implant (PowerShell Add-Type/csc) following a ClickFix / fake-CAPTCHA infection. Listener: nginx, TLS 1.3 only, silently drops non-matching requests (return 444), presents no certificate to unauthenticated clients (mTLS-gated) .Observed 2026-06-17 ~22:18 UTC. Flagged by EDR as fileless/anti-exploitation.