ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain generate920da4.host94p.cfd.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1835356
IOC: generate920da4.host94p.cfd
IOC Type :domain
Threat Type :payload_delivery
Malware: 5.t Downloader
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-06-22 06:22:29 UTC
Last seen:never
UUID:6cc549e3-6de5-11f1-9258-42010aa4000a
Reporter Anonymous
Reward 5 credits from ThreatFox
Tags:gaea-operations malware phishing scams stefan-himmelskamp

Avatar
Anonymous
Coordinated malware delivery network operated by Gaea Operations GmbH (gaeaoperations.com). Entry point is ranoz.gg (file hosting platform). Obfuscated JS redirect code hosted at fluffle.cc/ghfetbyghntewdaa routes users through generate920da4.host94p.cfd to filehost.sbs where malicious zip/executable files are delivered without user consent. Clicky analytics script (in.getclicky.com) is spoofed to disguise the malicious injection and bypass security scanners. paster.so and lockr.so are sister platforms under same operator using forced ad redirect chains exposing users to NSFW and gambling content. Already reported to Europol EC3, BSI Germany, Google Safe Browsing, Netcraft, and Spamhaus.