Threat Intelligence
Description
85.239.63[.]37
|
AS62240 - Clouvider Limited
|
IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance
|
65.109.204[.]197
|
AS24950 - Hetzner Online GmbH
|
After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities
|
84.200.80[.]252
|
AS214036 - Ultahost, Inc.
|
IP address hosting the installer for the Zoho UEMSAgent remote access tool
|
216.107.136[.]46
|
AS396356 - LATITUDE-SH
|
Plink C2
|
Published: 2025-11-10T14:00:00
