It’s been one month since I noticed an increase in number of malware communication to a certain IP: 185.6.242[.]251 and the trend has not slowed down in the last 30 days.

The total of web panel malware seen the last 30 days is totalling 97 as of this morning, as shown in this bar graph.

The distribution of malware C2 seen on this ip is uneven. Most are Lokibot and Pony instances, a few ISRStealer, LiteHTTP and Citadel have also been noticed.

A few stats:

  • 1 IP
  • 5 malware families
  • 30 Days
  • 47 Domains
  • 97 C2 Web panel instances
  • 222 MD5 hashes