Payloads observatory
Malware our honeypots were told to download.
When an exploit payload carries a wget/curl one-liner, we fetch the file in a sandboxed collector, hash it, and check it against VirusTotal (uploading samples VT has not seen). 35 files so far, 25 flagged malicious. URLs are shown in Safe-IOC form; hashes link to the VT report, hosts pivot into the per-IP report.
| File / SHA-256 | VT verdict | Fetched via | Delivery URL | First seen |
|---|---|---|---|---|
| sex.sh | 31/75 | tftp | [http]://143[.]20[.]185[.]220/sex.sh | 2026-06-12 18:12 |
| Ciabins.sh | 37/75 | wget | [http]://94[.]183[.]232[.]247/Ciabins.sh | 2026-06-12 15:16 |
| unnamed | 35/75 | wget | [http]://176[.]65[.]139[.]195/bins/zoryn.mips | 2026-06-11 15:29 |
| 7b15e02eb1012a75718bdbb7e4eb296337f7ddab | 26/75 | wget | [http]://217[.]60[.]195[.]70:8080/x86 | 2026-06-09 13:14 |
| bin.sh | 51/75 | wget | [http]://115[.]55[.]85[.]7:55027/Mozi.m | 2026-06-07 07:19 |
| unnamed | 4/75 | curl | [http]://45[.]13[.]186[.]32/run.sh | 2026-06-06 19:11 |
| 48782 | 10/75 | curl | [http]://vitacocoyougoloco[.]potassium[.]st/r | 2026-06-06 18:31 |
| unnamed | 23/75 | wget | [http]://176[.]65[.]149[.]168/adb.sh | 2026-06-06 15:13 |
| cat.sh | 19/75 | curl | [http]://176[.]65[.]139[.]126/cat.sh | 2026-06-06 03:28 |
| boatnet.mips | 35/75 | wget | [http]://176[.]65[.]149[.]124/hiddenbin/mips | 2026-06-05 09:24 |
| 3oxzm.exe | 26/75 | busybox-wget | [http]://176[.]65[.]139[.]27/x86_64 | 2026-05-30 12:37 |
| 8dkf5gpv.exe | 16/75 | b64 | [https]://14[.]46[.]136[.]77/sh | 2026-05-18 21:14 |
| 8dceaa82_sh.sh | 15/75 | curl | [https]://121[.]176[.]14[.]102/sh | 2026-05-17 02:30 |
| unnamed | 0/75 | curl | [http]://d83vf6ijchmkg68t4cug4jds7x74gxnen[.]oast[.]site | 2026-05-16 14:15 |
| unnamed | 0/75 | curl | [http]://d83vf6ijchmkg68t4cug5jsq37tzghngc[.]oast[.]site | 2026-05-16 14:15 |
| unnamed | 0/75 | wget | [http]://101[.]36[.]125[.]58:10598/i/969a34/a14n/op0w/ | 2026-05-15 15:12 |
| unnamed | 0/75 | curl | [http]://d83ilri1dk0477fthfq0ggt3rbqhkemox[.]oast[.]live | 2026-05-15 14:25 |
| unnamed | 0/75 | wget | [http]://d83ilri1dk0477fthfq0po7uie93fhth3[.]oast[.]live | 2026-05-15 14:25 |
| unnamed | pending | curl | [http]://d83ilri1dk0477fthfq07jr7cfmkb4c47[.]oast[.]live | 2026-05-15 14:21 |
| unnamed | pending | curl | [http]://d83ilri1dk0477fthfq0rudrqc8gxud1d[.]oast[.]live | 2026-05-15 14:21 |
| bin.sh | 51/75 | wget | [http]://27[.]37[.]111[.]24:48041/Mozi.m | 2026-05-15 14:05 |
| unnamed | 10/75 | wget | [http]://45[.]153[.]34[.]93/mips | 2026-05-15 01:12 |
| linux.sh | 12/75 | tftp | [http]://156[.]238[.]242[.]196/linux.sh | 2026-05-14 20:08 |
| 92945 | 32/75 | tftp | [http]://142[.]248[.]80[.]144/lol.sh | 2026-05-12 09:38 |
| run.sh | 3/75 | curl | [http]://176[.]65[.]139[.]166/run.sh | 2026-05-09 14:24 |
| phantom.mips | 31/75 | wget | [http]://45[.]157[.]233[.]103/bins/phantom.mips | 2026-05-08 15:57 |
| eec5c6c219535fba3a0492ea8118b397_bin.sh | 54/75 | wget | [http]://110[.]37[.]13[.]96:37828/Mozi.m | 2026-05-08 04:19 |
| unnamed | 3/75 | wget | [http]://168[.]220[.]248[.]106:9087/payload/a6i3khk75wgf/su9wyp.sh | 2026-05-07 23:21 |
| unnamed | pending | curl | [https]://updates[.]officehub[.]works | 2026-05-07 16:59 |
| 9zmn8.exe | 32/74 | wget | [http]://176[.]65[.]139[.]131/bins/mips | 2026-05-07 16:58 |
| ef3d2de82b34_stager-amd64 | 3/75 | curl | [https]://cdn[.]boyzee[.]xyz/086ad118cef06dd1ebe63c7b/stager-amd64 | 2026-05-07 16:58 |
| akido.mips | 41/74 | wget | [http]://45[.]157[.]233[.]103/d/akido.mips | 2026-05-07 16:58 |
| rondo.aqg.sh | 0/74 | busybox-wget | [http]://204[.]10[.]194[.]134/rondo. | 2026-05-07 16:57 |
| mips | 23/74 | wget | [http]://31[.]56[.]209[.]125/bins/mips | 2026-05-07 16:57 |
| file | 0/75 | curl | [http]://151[.]243[.]11[.]23 | 2026-05-07 16:56 |
refreshed every collector cycle · cached 10 min · newest 200 shown