📖 Overview
A new domain-based indicator has been identified associated with payload delivery activity tied to the malware unknown_loader. This domain, advertised under the guise of a mobile advertising and monetization platform, poses a high-confidence threat to users and organizations.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | cpibot[.]com |
| Threat Type | Payload Delivery |
| Malware | unknown_loader |
| Confidence | 90% |
| Date | 27 Aug 2025 – 23:27:53 UTC |
| Tags | Fake Software, fakeapp, Loader |
| Reporter | pancak3lullz |
🔎 URLScan Result
- Verdict: 100
- Page Title: CPIBot – Mobile Ad Network – Buy App Installs – Advertise (DSP for Advertisers) & Monetise (SSP for Publishers) your Android, iOS & Web App
- Screenshot: View Screenshot
- Result: View URLScan Report
📡 Related Intelligence
- WHOIS Record: who.is/whois/cpibot.com
- VirusTotal Report: VirusTotal Domain Report
🛡️ Defensive Guidance
- Block
cpibot[.]comat the network and endpoint level. - Monitor for suspicious connections that mimic mobile ad networks.
- Hunt for unknown_loader artifacts in endpoint telemetry.
- Review logs for traffic to suspicious DSP/SSP advertising infrastructure.
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
