📖 Overview
A domain-based indicator has been identified leveraging Portmap.io services for remote port forwarding, enabling XWorm malware command-and-control communications. Portmap’s free tunneling service is often abused by threat actors to disguise botnet traffic behind legitimate infrastructure. Confidence is assessed at 100%.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | SHADOWii0000-45869.portmap[.]host |
| Threat Type | Botnet C2 |
| Malware | win.xworm |
| Confidence | 100% |
| Date | 26 Sep 2025 – 12:00:19 UTC |
| Tags | C2, Domain, Triage, XWorm |
| Reporter | DonPasci |
🔎 URLScan Result
Verdict Score: 0
Page Title: Portmap.io – free port forwarding solution
Screenshot: https://urlscan.io/screenshots/019985e9-811e-756d-8d10-a74d5141cab8.png
Result: https://urlscan.io/result/019985e9-811e-756d-8d10-a74d5141cab8/
📡 Related Intelligence
DNS A Record: 193[.]161[.]193[.]99
Certificate Transparency: https://crt.sh/?q=SHADOWii0000-45869.portmap.host
VirusTotal Report: https://www.virustotal.com/gui/domain/SHADOWii0000-45869.portmap.host
URLScan Domain Overview: https://urlscan.io/domain/SHADOWii0000-45869.portmap.host
DNS Analytics: https://dnslytics.com/domain/SHADOWii0000-45869.portmap.host
🛡️ Defensive Guidance
- Block
SHADOWii0000-45869.portmap[.]hostand associated IP (193[.]161[.]193[.]99) at DNS, proxy, and endpoint levels. - Monitor for Portmap-related tunneling services in outbound traffic.
- Hunt for XWorm persistence and payload artifacts across endpoints.
- Inspect certificate transparency logs for additional Portmap subdomains tied to malicious activity.
⚠️ The use of Portmap tunneling highlights how adversaries exploit legitimate proxy services for stealthy C2 communication.
