Attack scenarios:
tioeroge.com Website Traffic, Ranking, Analytics [March 2026] zeroend.hotzone18.com-release
This latest iteration boasts faster loading times and improved backend stability, addressing previous bottlenecks identified during testing. Attack scenarios: tioeroge
The campaign demonstrates a mature, modular threat‑actor capable of rapidly adapting its infrastructure and payloads. Continued monitoring, rapid blocking of the identified IOCs, and strengthening of macro‑execution controls are essential to prevent further compromise. Organizations that have already been impacted should prioritize forensic investigation, credential rotation, and incident‑response reporting to meet regulatory obligations. | Date (UTC) | Event | Details |
: Try visiting the URL in a browser. If it's a publicly accessible resource, you might find information about a software release, a testing environment, or another kind of service.
| Date (UTC) | Event | Details | |------------|-------|---------| | | First detection | Passive DNS sensors see zeroend.hotzone18.com resolve to 185.62.45.221 (AS 16276 – OVH). | | 2024‑02‑18 | Phishing campaign launch | Spam‑trap data shows a surge of e‑mail messages with subject “ Invoice #2024‑02 – Action Required ” containing a malicious .docm attachment. | | 2024‑02‑20 | Payload drop | The macro downloads zdx‑loader.exe (SHA‑256: 3FA9…C7D2 ). | | 2024‑03‑01 | C2 infrastructure added | Two new domains (api‑zeroend.hotzone18.com, data‑zeroend.hotzone18.com) point to 185.62.45.223, hosting a PHP‑based C2 server. | | 2024‑05‑12 | First public analysis | Malware‑research community publishes a sandbox report (VirusTotal detection rate ≈ 65 %). | | 2024‑08‑23 | Infrastructure shift | Domain’s A‑record changed to 45.9.148.210 (Hetzner). New “fast‑flux” behavior observed. | | 2025‑10‑03 | Release 2.0 (re‑branding) | New campaign uses a shortened URL (bit.ly/xyz123) that redirects to zeroend.hotzone18.com . The loader is now signed with a self‑signed code‑signing certificate (CN=ZeroEnd LLC). | | 2025‑10‑05 – 2025‑10‑28 | Peak activity | 1 200 unique victims per day; mining payload detected on > 300 Linux servers. | | 2025‑11‑15 | Takedown attempt | Hosting provider suspends 185.62.45.221 after abuse report; attackers migrate to a new IP range (185.199.108.0/22). | | 2026‑02‑20 | Current status | Domain still active, DNS TTL 300 s, pointing to 185.199.110.87. New C2 endpoints added (c2‑01.zeroend.hotzone18.com). |