exfil destinations
Every external endpoint extracted from caught packages — webhook URLs, Discord webhooks, Telegram bot tokens, raw public IPs. Ranked by how many distinct packages referenced each destination. Use as a drop-in IOC list for IR, EDR, WAF, and TIP feeds.
Generic webhook-bin services (webhook.site, requestcatcher, pipedream, etc.). Free to set up, low takedown risk, dominant exfil pattern.
5 distinct
wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun3 packagessharedlszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun3 packagessharedhttps://webhook.site/f684d33e-9a2b-4c7d-8e1f-3a5b2c4d6e7f2 packagessharedhttps://webhook.site/f684d33e-7d78-49cb-8798-49952a0a30361 packagetjalcgvzuaojvayjfdfh1rtb4ojaobofs.oast.fun1 packageHardcoded public IPv4 destinations. Often a researcher box or a compromised host — the operator's most attributable surface.
1 distinct
104.248.94.231 package