# Post-Gamaredon-Feb-2022 blog release IoC update
# 16FEB2022
# note that clustering may not be authoritative


# LNK files
# These were not observed in earlier campaigns and seem to be a new dropper technique

19888c043afde1f63f25a807192170bc65377e6c89f693ad7af70c0a03a349ed
60539634489764d9e590433ef632727aa465075befcb4f2d4f60405c0f8e600c
be7d70fb705c74f2de86db2b34f3e7587e5b3ded2d02eaad48fcfee426379372
782a8cc34746ca1ffc7cd83a9cc4cd64c60de2e69622a06d2a01792df2e2573c
7c2c376300c1fc562521196458c2594edac152f1ad944c517927b5a12193980c
3d80541e59b4bedac6bd275514c0941b1478d62d6ef8b8560720d05a83c0a910


# Cluster 1 - new domains

maonas.ru
nastorlam.ru
nokitrav.ru
postoral.ru
rebatok.ru
sadotra.ru
lotorsas.ru
diletras.ru
distorhan.ru
filopar.ru
firatoska.ru
gartisop.ru
giltorad.ru
hikorto.ru
jenipot.ru
jistarka.ru
jolopar.ru
koloparto.ru
koutora.ru
mavzolit.ru
milotor.ru
potrahid.ru
shaparto.ru
skripotan.ru
somebodar.ru
turikar.ru
vartogal.ru
bolotran.ru
corintar.ru
drumtar.ru
filikato.ru
fortuskan.ru
giboltar.ru
giroed.ru
golitus.ru
hikorta.ru
holotras.ru
hotilar.ru
kassanfo.ru
kolopart.ru
kolotara.ru
lestori.ru
mafdis.ru
mirtokla.ru
nintara.ru
ringali.ru
tirotar.ru
videotri.ru
vivaldar.ru


# Cluster 1b - linked by WHOIS message-yandex.ru@mail.ru
# Note that this email links to cluster 1 historic origins
# also seen in domains back to 2017
# These are active registrations as of Feb 2022. Approximately 200 expired not listed.

emailinfo.site
downloadfiles.website
email-inbox.site
ukrnet.site
settings-ukr.net
email-smtp.online
assasysa.online
eyeofra.online
email-info.online
acridoxena.online
hewaniana.online
erythrocephala.online
acantholyda.online
severodoneck.site
admin-gmail.online
account-google.site
file-check.site
sebaer.xyz
triturus.xyz
taphrometopon.xyz
splendensi.xyz
schrenchi.xyz
salamandras.xyz
rutilus.xyz
reticulatus.xyz
pugnax.xyz
molurus.xyz
maculosa.xyz
lineolatum.xyz
glanisa.xyz
cristatus.xyz
chaetodon.xyz
bettar.xyz
mesogonistius.xyz
temporaria.xyz
reinvardtii.xyz
macropodus.xyz
lotari.xyz
fluviatilis.xyz
ridibunda.xyz
ranar.xyz
mystaceus.xyz
arvalis.xyz
carassiusis.xyz
phyllomedusa.xyz
hypochondralis.xyz
gastrotheca.xyz
callichthys.xyz
sclerops.xyz
phrynocephalus.xyz
ophisaurusis.xyz
niloticu.xyz
marsupiata.xyz
jordanella.xyz
igneus.xyz
hylar.xyz
gibelio.xyz
geophagusi.xyz
gasterosteus.xyz
floridae.xyz
crocodilus.xyz
carassiuss.xyz
caimana.xyz
brasiliensisi.xyz
bombinators.xyz
avratus.xyz
auratus.xyz
apusa.xyz
aculeatus.xyz
ua-email.press
rhinoderma.xyz
pipasa.xyz
ophisaurus.xyz
obstetricans.xyz
darvini.xyz
bufol.xyz
bombinator.xyz
apusi.xyz
alytes.xyz
trichopodus.xyz
gavialis.xyz
trichopterus.xyz
leeri.xyz
eversmanni.xyz
scincus.xyz
rhodeus.xyz
nemachilus.xyz
murinus.xyz
misgurnus.xyz
lebetina.xyz
horridus.xyz
gymnodactylus.xyz
griseus.xyz
gangeticus.xyz
fragilis.xyz
fossilis.xyz
crossobamon.xyz
caspius.xyz
berus.xyz
barbatulus.xyz
anguisa.xyz
amarus.xyz
ambystoma.xyz
alligatori.xyz
agamat.xyz
acaciana.xyz
adonisis.xyz
bartli.xyz
achilleas.xyz
camphorat.xyz
acorusis.xyz
willder.xyz
wallich.xyz
vernalisa.xyz
senegala.xyz
precatoriusis.xyz
millefolium.xyz
ferrox.xyz
cynapiuma.xyz
calamusi.xyz
betulina.xyz
barosma.xyz
aethusas.xyz
adonisi.xyz
abrusa.xyz
anamirtat.xyz
althaean.xyz
silvestris.xyz
occidentale.xyz
montanar.xyz
macrotomias.xyz
hypogaeat.xyz
cotular.xyz
cephalotes.xyz
catechur.xyz
arvensis.xyz
anthriscus.xyz
alpiniar.xyz
artemisian.xyz
absinthiuma.xyz
oleifera.xyz
juncear.xyz
hiemalis.xyz
papayana.xyz
kyiv-mail.site
maculatum.xyz
claviceps.xyz
autumnale.xyz
fionar.xyz
eluteria.xyz
coriandrum.xyz
settings-google.site
cyminum.xyz
dracod.xyz
cuminum.xyz
calamuss.xyz
duboisia.xyz
dipterocarpus.xyz
cardamomum.xyz
capillaceum.xyz
buhse.xyz
boiss.xyz
aspidium.xyz
ammoniacum.xyz
blockpost.space
blockpost.website
blockpost.site
gelsemium.xyz
canadensis.website
barbadense.space
abyssinica.website
bitsbitsk.space
bitsbitsi.space
bitsbitsl.space
bitsbitsc.space
bitsbitsd.space
bitsbitsb.space
bitsbitsa.space
metrika.site
ardinvest.site
bitsadmin4.space
email-gov.site
mil-gov.site
bitsadmin3.space
adblocked.space
bitsadmin2.space


# Cluster 4 - from Microsoft MSTIC Report
# comparable to cluster 3
artisola.ru
lotorgas.ru
gitrostan.ru


# Cluster 5 - from Microsoft MSTIC Report
# Used by PS malware

retarus.ru
calendas.ru
corolain.ru
goloser.ru
alacritas.ru


# Cluster 6 - from Microsoft MSTIC report (older)
# Word docs

acetica.online
mail-check.ru
word-expert.online


# Cluster 7
# Has links to Cluster 1 but appears to be a unique sub-cluster

libellus.ru
barbatas.online
floundera.online
plaicer.ru
barbatas.ru
ferruminatio.ru
privigna.online
mullus.online
sardanal.ru
puppis.ru
goatfish.ru
libellus.online
mulleti.ru
puppis.online
tectaconstrata.online
barbatam.online
mullus.ru
barbatus.online
ferruminatio.online
sardanal.online
privigna.ru
tectaconstrata.ru


# More cluster 7 from Pivot on WHOIS tank-bank15@yandex.ru +7.9789224690

solerat.online
plaicer.online
mulleti.online
goatfish.online
flatfisha.online
bonitol.online


# Cluster 8
# Lone domain - may find links with some more history

neslovo.ru


# Cluster 9
# Only cluster observed still using some NoIP DDNS domains
# Also not using reg.ru for hosting

coagula.online
phymateus.online
tortunas.ru
upload-dt.hopto.org
upload-lk.hopto.org
up-dot.hopto.org
up-lnk.hopto.org


# Cluster 9 WHOIS Pivot macrobit@inbox.ru +7.9789224559

abrumpere.online
acanthophis.online
acetobacter.online
achalinus.online
acrididae.online
agaricusa.online
albatrellus.online
alburnus.online
alicui.online
anisoptera.online
anolis.online
antarcticus.online
apaturinae.online
apidaet.online
apoxipodes.online
arachnidas.online
archaicus.online
archiepiscopus.online
arctiidae.online
asilidae.online
asymmetria.online
atlanticos.site
babylont.online
bacilluse.online
biblidinae.online
blaberidae.online
blattodea.online
boniton.site
botaurus.online
brachycera.online
burhinus.online
campestri.online
carinatus.online
carolinensis.online
cerambycidae.online
cereusi.online
chelicerata.online
cichlasoma.online
ciconiat.online
circulas.online
clonorchis.online
clupeonella.online
coeruleus.online
coleopteras.online
coliadinae.online
cololabis.online
conscindere.online
corvusi.online
cultiventris.online
cyrestinae.online
danainae.online
decursio.online
differre.online
difformis.online
dionysi.online
dipteran.online
discedere.online
discouti.online
discrepare.online
disjungere.online
diversiformis.online
dividere.online
email-online.site
empusidae.online
emysi.online
eryxis.online
eurypterida.online
extrado.online
exundare.online
facetum.online
fanniidae.online
fasciolas.online
felineus.online
flatfish.site
flounder.site
fnhn.online
fnrn.online
formosanus.online
fossor.online
goatfish.site
golintras.site
gonepteryx.online
gorimana.site
gov-ua.pw
graeca.online
graphiuma.online
graphosoma.online
gromphadorhina.online
gurmou.site
hakena.online
halibut.site
hamadryas.online
haplochromis.online
heliconiinae.online
hepatica.online
herpetodryas.online
herrings.site
hesperiidae.online
heteroptera.online
heterotypus.online
hierodula.online
hippoglossus.online
hkjn.online
hkol.online
hohlomida.site
holodosiz.site
homoptera.online
horivana.site
hpoi.online
hymenoptera.online
id-metrika.site
inachis.online
incursio.online
incursionibus.online
incursus.online
intumescere.online
irritabilitas.online
jaculusan.online
kallima.online
khjs.online
khpf.online
kjoi.online
labefacere.online
labefactare.online
lacerare.online
latesa.online
lepidopteras.online
libellulat.online
libellulidae.online
limenitidinae.online
limenitis.online
limosa.online
limulusa.online
lophacris.online
lovarinda.site
lusciniar.online
lycaenidae.online
mackereli.site
maniola.online
mantidae.online
mantodeas.online
meandrusas.online
megascolias.online
megatos.online
melitaeas.online
merostomata.online
mesant.online
metcalfas.online
morphinaes.online
morphon.online
mortivan.site
mugil.online
mulletin.site
natrixy.online
nematoceras.online
nilesa.site
niloticus.online
noctuidaes.online
nymphalidaes.online
office360-expert.online
orbicularis.online
ovinus.online
panchax.online
papiliot.online
perchi.site
petulans.online
pfkj.online
pilcharda.site
plaices.site
plantora.online
polyphemus.online
pomfreti.online
portunio.site
rainbowt.site
regionem.online
rufescens.online
rumpere.online
sairanat.online
salmoni.site
saltator.online
saury.site
sauryn.online
scolopaxys.online
scorpiones.online
shaperi.online
silvicol.online
sinensisa.online
soled.site
sphaerion.online
sprata.online
sprata.site
spratan.online
stealheada.site
stellarisa.online
strigigena.online
suaveolens.online
sufflari.online
suffundi.online
suffunditur.online
superfluere.online
superfundi.online
superventus.online
testudos.online
tilapian.online
tnoi.online
trouta.site
tunara.online
turgescere.online
ugorado.online
usa-national.info
variare.online
vincula.online
viraglo.site
vitrokaz.site
who-int.info
xiphosura.online


# Cluster 10
desandra.ru
votifa.ru


# Cluster 11 nsfocusglobal[.]com/russian-apt-group-gamaredon-launches-phishing-campaign-against-ukrainian-ministry-of-foreign-affairs/
# Use very different techniques:
# Changes reg[.]ru IPs frequently but all on same /24 and all massively-shared, domain is old (2019) and .fun TLD
# Traced back and confirmed it's linked to old "Cluster 1" infrastructure.

normandia.fun