Skip to content Dark Web Informer - Cyber Threat Intelligence
IOC

IOC Alert: Suspicious HTX-Themed Domain Used for Potential C2 Activity

📖 Overview

A phishing-style domain mimicking the HTX cryptocurrency exchange login page has been identified. While presenting itself as a legitimate portal, the infrastructure may serve dual purposes, phishing credential harvesting and potential command-and-control (C2) activity. Confidence is assessed at 75%.


📌 Key Details

FieldInformation
TypeDomain
Indicatorhtx-user[.]at
Threat TypeBotnet C2
MalwareUnknown
Confidence75%
Date06 Oct 2025 – 16:41:32 UTC
Tagsdomain
Reporteranonymous
ReferenceNone

🔎 URLScan Result

  • Verdict Score: 0
  • Page Title: HTX Вход — Авторизация аккаунта | HTX Login & Sign In
  • Screenshot: View Screenshot
  • Result: Full Scan Report

📡 Domain & Certificate Info

  • DNS A Record: 95[.]129[.]234[.]137
  • Recent Certificates:
    • C=US, O=Let's Encrypt, CN=R12 (Valid: 2025-09-20 → 2025-12-19)
    • C=US, O=Let's Encrypt, CN=R12 (Valid: 2025-09-20 → 2025-12-19)
    • C=US, O=Let's Encrypt, CN=R13 (Valid: 2025-09-15 → 2025-12-14)


🛡️ Defensive Guidance

  • Block htx-user[.]at and its associated IP (95[.]129[.]234[.]137) at DNS, proxy, and endpoint layers.
  • Watch for outbound traffic patterns or login attempts to lookalike cryptocurrency domains.
  • Hunt for credentials exfiltrated to suspicious domains masquerading as crypto exchange portals.
  • Track certificate transparency logs to detect and pre-emptively block newly registered HTX-themed lookalike domains.

⚠️ This IOC highlights the continued abuse of cryptocurrency branding by threat actors who stage fake login portals to capture credentials or operate C2 channels under the guise of legitimate services.

Latest