ipv4

85.137.53.71

discovered 2026-07-14

Primary HTTP C2 server. Command server on port 8080, data-exfiltration upload on port 8081 (SafeDep also observed proxy management on 8091). Attacker secp256k1 public key from the decrypted __RT_BAKED__ config: 0432fa4ba871877d94081fe83323fa24dfa1491e9de8725cbab7b734de9e9be3b233ef6742fd6264437c9532223d687b05fa540b70af6a516b8539af84d0eeb48e (beacon signing / encrypted C2).

Campaigns