📖 Overview
A domain-based indicator has been identified linked to XWorm command-and-control infrastructure. The domain is hosted through the Playit.gg platform, often abused by threat actors to proxy malicious traffic. This IOC represents a high-confidence threat tied to ongoing XWorm campaigns.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | insurance-statistical.gl.at.ply[.]gg |
| Threat Type | Botnet C2 |
| Malware | win.xworm |
| Confidence | 100% |
| Date | 03 Sep 2025 – 12:01:43 UTC |
| Tags | c2, domain, triage, XWorm |
| Reporter | DonPasci |
🔎 URLScan Result
Page Title: playit.gg
Screenshot: https://urlscan.io/screenshots/01990f76-aed5-76eb-b3ab-2821d15f45db.png
Result: https://urlscan.io/result/01990f76-aed5-76eb-b3ab-2821d15f45db/
📡 Related Intelligence
WHOIS Record: https://who.is/whois/insurance-statistical.gl.at.ply.gg
VirusTotal Report: https://www.virustotal.com/gui/domain/insurance-statistical.gl.at.ply.gg
Reference: https://tria.ge/250903-m1drlsvjz6
🛡️ Defensive Guidance
- Block
insurance-statistical.gl.at.ply[.]ggat DNS, proxy, and endpoint layers. - Monitor for outbound connections tunneled through Playit.gg services.
- Hunt for XWorm persistence artifacts and registry modifications.
- Review proxy and firewall logs for suspicious beaconing activity to Playit.gg subdomains.
⚠️ This IOC highlights the abuse of legitimate proxy services (Playit.gg) for C2 hosting, a common tactic to evade detection.
