From public IOCs to pre-attack context - BYOIOC and the Darktrace Chaos case
This is a div block with a Webflow interaction that will be triggered when the heading is in the view.
Bring Your Own IOC (BYOIOC) - You supply indicators you already trust (from a vendor report, ISAC feed, or internal detections).
Malanta enriches, clusters, and expands them into IoPAs and graph context so CTI and SecOps can prioritize blocking, hunts, and abuse without replacing the source analysis.
What Darktrace reported (and the IOCs they published)
In early April 2026, Darktrace published analysis of a new Chaos malware variant targeting misconfigured Apache Hadoop in the cloud:
- 64-bit Linux ELF
- SOCKS5 alongside DDoS and cryptomining
- systemd persistence and self-deletion
Their IOC set includes gmserver.osfc.org[.]cn, pan.tenire[.]com, related IPv4s, a download URL on pan.tenire[.]com, and a SHA-256 for the sample.
Malanta expansion (this run)
From six seed IOCs aligned with the Darktrace case, the BYOIOC export contains:
- 447 expansion indicators (426 cluster-sourced IoPAs)
- 3 high-risk clusters
- 712 nodes and 4,076 edges
- 13 malicious-labelled IoPAs and 413 suspicious
Lead time is the delta between Malanta’s first graded conviction on an indicator and the point where it would typically appear only as a headline IOC. Here, malicious-labelled C2-linked domains carry on the order of months of lead time (about 168 days on primary seeds and about 110 days on selected multi-hop domains in the full report). That window supports prioritized blocking, hunts, and abuse reporting, alongside your own validation policy.
Proximity in the BYOIOC HTML ranks how tightly each expansion ties back to the nearest seed (same column shows distance band and hop depth). Closer rows are usually cheaper to operationalize first: shorter chains mean faster decisions on blocks, SIEM correlation, and scope for takedowns. Full scoring detail lives in the report appendix “How Proximity Is Calculated” if you need audit-level transparency.
Selected indicators (BYOIOC export)
pan.tenire[.]com (seed) has a DNS A record pointing to 107.189.10[.]219 (also a seed IP in the report).
aria.tenire[.]com (subdomain of the same apex, malicious in VT) has a DNS A record pointing to 107.189.6[.]220.
The following IPs were discovered through co-occurrence in malicious code repositories on GitHub, survived contextual IOC validation, and are all flagged as malicious in VirusTotal
- 107.189.10[.]175
- 107.189.6[.]150
- 107.189.10[.]185
- 107.189.6[.]124
All five discovered IPs, along with the seed IP above, reside in the same BuyVM (Frantech Solutions) IP allocation (107.189.6[.]81 – 107.189.11[.]87) in Luxembourg.
BuyVM is a budget VPS provider known for privacy-friendly hosting; it accepts cryptocurrency payments and has a permissive abuse policy, making it a common choice for threat actor infrastructure.
The concentration of six related IPs within a single ~1,280-address block strongly suggests a common operator provisioning multiple VPS instances for different operational roles (C2, staging, payload delivery).
Note: gabungg-gruppwhattsapp18.ftp1[.]biz and judysigner.cafe24[.]com related domains, are being tracked as part of Malanta’s attack infrastructure clusters.
Where to go next
IOPA-Expansion-for-Darktrace-Chaos_Malware_Cloud_Misconfigurations-2026-04-07
Darktrace anchors the incident; Malanta layers IOPAs, lead time, and graph-scale pivots on the same seeds.
