📖 Overview
A potential Glupteba botnet command-and-control (C2) domain has been identified. The site currently returns a 404 response, indicating the infrastructure may have been recently decommissioned or is inactive at this time. However, historical associations suggest prior malicious use for C2 operations related to the Glupteba malware family. Confidence is assessed at 50%.
📌 Key Details
| Field | Information |
|---|---|
| Type | URL |
| Indicator | https://server14.safarimexican[.]net/ |
| Threat Type | Botnet C2 |
| Malware | win.glupteba |
| Confidence | 50% |
| Date | 17 Oct 2025 – 09:01:03 UTC |
| Tags | c2, glupteba, URLQuery |
| Reporter | juroots |
| Reference | URLQuery Report |
🔎 URLScan Result
- Verdict Score: 0
- Page Title: Not Found (#404)
- Screenshot: View Screenshot
- Result: Full Scan Report
📡 Related Intelligence
- VirusTotal Report: VirusTotal URL Report
🛡️ Defensive Guidance
- Block access to server14.safarimexican[.]net at all network levels (DNS, proxy, firewall).
- Monitor for signs of Glupteba activity, including HTTP beaconing or use of proxy-related commands for persistence.
- Check for historical connections to inactive or error-returning C2 hosts that may rotate infrastructure frequently.
- Consider implementing behavior-based detection for Glupteba components, including PowerShell-based downloads and browser credential theft indicators.
⚠️ This IOC highlights Glupteba’s tendency to leverage transient or recycled domains as fallback C2 points. Even if inactive, such infrastructure may reappear under the same registrant patterns or reused TLS certificates in future campaigns.
![[Darknetlive Archive] Darkweb Vendor "MrSnickers" Busted After Exit Scamming Customers](/content/images/size/w1304/format/webp/2025/10/dnl_2378952983756987239875-1.png)
