SENTINEL
SENTINEL / Command-and-Control / Indicator

SNT-C2-2026-05-C4D2

Confirmed Burned
Disclosed by ThreatFox · +29d
Command-and-Control

Lifecycle

When SENTINEL first saw this infrastructure, when public sources caught up, and when it went dark. The shaded span is our lead time.

LEAD OVER FIRST DISCLOSURE+29d +29d ThreatFoxObserved 05-20 Burned 05-23 3d operational life
SENTINEL first observed
2026-05-20
Max lead time
+29 days
Status
Burned on 2026-05-23

Public confirmations

Public threat-intel sources that subsequently listed this indicator. Lead time is days between SENTINEL first-observed and that source's published date.

Source Published Lead time Reference
ThreatFox 2026-06-18 +29d https://sentinel.internal/es/eitH2p4B9TWqc3cWKABD

Classification

Confidence Confirmed high-fidelity, analyst-validated
Category Command-and-Control
Indicator type IP address

Decay

How actionable this indicator is now. IoCs decay at type-specific rates (Pyramid of Pain); a fresh sighting resets the score.

0 / 95 expired
Lifetime3d · ip
Age0d since last sighting
Expires2026-06-23
95003dnow

Methodology. An indicator opens at a base score (set by confidence) and decays over a lifetime fixed by its type — IP 3d, URL 5d, domain 7d, file hash 21d, certificate 120d. Per the Pyramid of Pain, the harder an artefact is for an adversary to change, the longer it stays actionable. Score = base × (1 − (age / lifetime)1/speed), decay speed 2.6. Every fresh sighting in any source resets age to zero and the score back to base; once age reaches the lifetime the score is 0 and the indicator is expired and purged from active detection.

Indicator (revealed post-burn)

185.241.211.26
IP address