📖 Overview
A domain-based indicator has been identified hosting a fake cryptocurrency wallet page imitating Guarda Wallet. This domain is linked to command-and-control infrastructure and represents a high-confidence threat. Users interacting with it risk credential theft and potential loss of digital assets.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | app-guarda[.]com |
| Threat Type | Botnet C2 |
| Malware | unknown |
| Confidence | 100% |
| Date | 01 Sep 2025 – 14:24:17 UTC |
| Tags | c2 |
| Reporter | PunisherRipRip |
🔎 URLScan Result
Page Title: Guarda Wallet
Screenshot: https://urlscan.io/screenshots/01990200-977c-718c-9512-7c14981e610e.png
Result: https://urlscan.io/result/01990200-977c-718c-9512-7c14981e610e/
📡 Related Intelligence
WHOIS Record: https://who.is/whois/app-guarda.com
VirusTotal Report: https://www.virustotal.com/gui/domain/app-guarda.com
🛡️ Defensive Guidance
- Block
app-guarda[.]comat DNS, proxy, and endpoint layers. - Monitor for user attempts to interact with fake cryptocurrency wallet infrastructure.
- Hunt for credential exfiltration attempts in endpoint telemetry.
- Review logs for connections to infrastructure imitating legitimate wallet services.
![IOC Alert: Suspicious Crypto Wallet Domain Used for Payload Delivery – ashigaruwallet[.]rs](/content/images/size/w1304/format/webp/2025/09/IOC_Alert-2.png)
![IOC Alert: NetSupport Manager RAT Payload Delivery – wood-simple[.]com/drip.sym](/content/images/size/w1304/format/webp/2025/09/IOC_Alert.png)
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
