MalwareMay 6, 2026

My favorite Remus botnet C2 domain so far 😄 havelbeenpwned .net ⤵️ NICENIC INTERNATIONAL🇨🇳 1...

Remus botnet C2 domain and infrastructure IOCs disclosed.

Summary

A security researcher shared indicators of compromise for the Remus botnet, including the C2 domain havelbeenpwned.net hosted on Chinese registrar NicNic International, and the command server IP 103.211.219.238:4219 in India (AS394695). Additional IOCs are available on ThreatFox.

Indicators of Compromise

domain — havelbeenpwned.net
ip — 103.211.219.238
malware — Remus

Entities

ThreatFox (technology)