# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: scattered spider, unc3944, roasted oktapus, scatter swine, octo tempest, muddled libra, aa24-241a, pay2key, fox kitten, pioneer kitten, unc757, parisite, rubidium, lemon sandstorm, lucr-3, storm-0875, starfraud

# Reference: https://blog.group-ib.com/0ktapus
# Reference: https://otx.alienvault.com/pulse/6307925a7f9aa39ee9c66d3b
# Reference: https://www.virustotal.com/gui/ip-address/45.32.212.77/relations

activecampaign-okta.com
alorica-vpn.com
arise-okta.com
at-uid.com
atento-help.com
att-citrix.com
att-citrix.net
att-ctx.com
att-id.net
att-mfa.com
att-opus.net
att-rsa.com
att-sso.com
att-sso.net
att-support.org
att-uid.co
att-uid.com
att-uid.net
att-vmware.com
att-vpn.com
att-vpn.org
bandwidth-okta.com
bestbuy-vpn.com
binance-okta.com
box-okta.org
boxokta.com
cb-okta.com
cb-okta.net
cgslnc-okta.com
cloudflare-okta.com
coin-base-okta.com
concentrix-sso.com
concentrixhelp.com
concentrlx.com
conexusonline.com
corp-att.net
customer-internal.com
epicgames-okta.com
epicgames-vpn.com
evernote-onelogin.com
hubspot-sso.com
infosys-vpn.com
intercom-vpn.com
internai-customer.io
iqor-duo.com
iqor-duo.net
iqor-help.com
iqor-help.net
iqor-helpdesk.com
iqor-portal.com
iqor-sso.com
iqor-sso.net
iqor-tmobile.com
klaviyo-sso.com
kucoin-pin.com
kucoin-pin.net
kucoin-sso.com
kucoin-sso.net
kucoinpin.com
kucoinpin.net
loginxarth.tv
maiichlmp.com
mailchimp-help.com
mailchimp-okta.com
mailchimp-sso.com
mailgun-okta.com
manpowergroup-sso.com
mcsupport-okta.com
medailia-okta.com
metropcs-edge.net
microsoft-sso.net
mlcrosoft.cloud
mlcrosoft.info
mytpusa.com
mytpusa.net
okta-drop.com
okta-hubspot.com
okta-oath.com
okta-riotgames.com
okta-sso.net
okta-tmo.org
okta-tmobiie.net
okta-tmobile.org
one-login.co
opus-att.com
ouryahoo-okta.com
ouryahoo-okta.net
ouryahoo-okta.org
ouryahooinc-okta.com
quaifon.com
quaifone.com
qualfon-sso.com
riotgames-okta.com
riotgames-vpn.com
riotgames-vpn.net
rogers-help.net
rogers-rci.com
rogers-rci.net
rogers-sso.com
rogers-sso.net
rogers-ssp.com
sendgrid-okta.org
sinch-sso.com
sitel-help.com
sitel-sso.com
sitel-vpn.net
slack-mailchimp.com
snap-okta.com
snap-okta.net
sprint-idg.net
squarespacehr.com
startek-vpn.com
sutherlandglobal-vpn.com
sykes-help.com
sykes-sso.com
sykes-vpn.com
t-mobiie.co
t-mobiie.net
t-mobiie.org
t-mobile-okta.com
t-mobile-okta.net
t-mobile-okta.org
t-mobile-okta.us
t-mobile-sso.net
t-mobilers.com
t-moblie-okta.com
t-moblie.help
t-moblier.org
t-moblle.org
taskus-sso.com
taskus-vpn.com
techmahindra-sso.com
teleperformance-help.com
teleperformance-sso.com
teleperformance-usa.net
teleperformanceusa-sso.com
telus-sso.com
tmo-okta.com
tmo-sso.com
tmo-sso.net
tmobie.net
tmobile-okta.com
tmobile-okta.net
tmobiler.net
tmoble.net
tmoblie.net
tmoblle.co
tmoblle.net
tmoblle.org
tp-update.com
tp-usa.net
tpusa-citrix.com
transcom-help.com
transcom-sso.com
ttec-help.com
ttec-sso.com
ttec-vpn.com
ttecvpn.com
twiiio-okta.net
twiiio-sso.com
twiiio.net
twiiio.org
twilio-help.com
twilio-okta.com
twilio-sso.com
twit-vpn.com
twitter-okta.com
twlilo.net
uid-att.com
uscc-hr.com
verizon-sso.net
vzw-corp.net
vzwcorp.co
okta.tmobiie.net

# Reference: https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/

activecampaign-hr.com
activecampaignhr.com
activesso.com
actlvecampaign.net
aflac-hr.com
allstate-hr.com
ally-hr.com
amica-hr.com
applesso.com
assurionsso.net
asurion-idp.com
asurionsso.com
athene-usa.com
bbt-hr.com
bbt-work.com
bbtcorp.net
bbtemps.com
bbthour.com
bbtplus.com
bbtvpn.com
bell-hr.com
block-hr.com
block-sso.com
bn-sso.com
cashsso.com
cellularhr.com
cellularsaies.com
cellularsso.com
cgsinchr.com
charter-vpn.com
chartervpn.com
cinfin-hr.com
clicksend-staging.com
cofelyvision.com
connect-asurion.net
connect-cox.com
connect-sso.com
corp-cox.com
corp-foundever.com
corporate-ally.com
corporate-huntington.com
corporate-pnc.com
costsso.com
desksso.com
doordash-support.com
eclerx-sso.com
fidelitysso.com
fireblocks-sso.com
five9-hr.com
foundever-sso.com
freshdesksso.com
freshworks-sso.net
freshworksso.com
gemini-sso.com
gitlabhr.com
gitlabsso.com
grubhub-support.com
grubhubsso.com
hanover-hr.com
hr-intercom.com
hubsso.net
ibexgiobal.com
iliad-sso.com
infobbt.com
intercom-hr.com
intercomsso.net
kemper-support.com
klaviyo-hr.com
klaviyocorp.net
klavlyo.com
linkedinsso.com
login.suniife.com
mercury-hr.com
mutualofomaha-hr.com
my-tsl.com
my-tsl.net
my-twilio.com
myworkspaceinfo.com
newyorklifehr.com
nfp-hr.com
on-sinch.com
orange-sso.com
podium-hr.com
podiumsso.com
postmarksso.com
prntsrc.net
rbx-hr.com
rbxhr.net
realogy-hr.com
recurlysso.com
roblox-hrs.com
sec-sso.net
securian-hr.com
sharing-folders.com
sinchdev.com
singtei.net
square-sso.com
squarespace-hr.com
ssopodium.com
ssotelnyx.com
stargate-sso.com
supporthub-iqor.com
synchronyfinanciai.com
teiekom.net
telesignhr.com
telnyx-sso.com
telnyxsso.com
thrivent-hr.com
transamerica-hr.com
truecorphr.net
trustsso.com
unum-hr.com
unumhr.com
uscchr.com
usccplus.com
uscell.net
uscellular-hr.com
uscellular-sso.com
uscellularhr.com
victrasso.com
vz-hr.com
vzapps-vzn.com
walmartsso.com
walmartworkspace.com
workatbbt.com
yourbbt.com
zen-sso.com
zendesklt.com

# Reference: https://x.com/k3yp0d/status/1828903531664855489
# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
# Reference: https://app.validin.com/detail?find=45.76.65.42&type=ip4&ref_id=725dc1eb270#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/206.71.148.78/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.77/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.141.238.182/relations

api.gupdate.net
app-api.team.beta.btest.cloud
app.team.beta.btest.cloud
beta.btest.cloud
btest.cloud
cloud.sophos.one
forticloud.online
fortigate.forticloud.online
git-lab.net
githubapp.net
glthub.ddns.net
gupdate.net
hostmaster.git-lab.net
login.forticloud.online
sophos.one

# Reference: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

authenticate-bt.com
creditkarma-help.com
ibexglobai.com
revolut-ticket.com
servicenow-help.com
login.five9-hr.com
login.uscc-hr.com

# Reference: https://x.com/ValidinLLC/status/1835644171459117398
# Reference: https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/

expediagroup-servicenow.com
freshworks-hr.com
okta-247.com
pfchangs-support.com
servicenow-hrblock.com
247-inc.okta-247.com
account.freshworks-hr.com
account.pfchangs-support.com
account.servicenow-hrblock.com
login.freshworks-hr.com
login.okta-247.com
login.pfchangs-support.com
login.servicenow-hrblock.com

# Reference: https://x.com/TLP_R3D/status/1836737521260109998

acwa-internal.com
applerevoke.com
binance-us-okta.com
coinbase-okta.com
consensys-okta.com
eu-apple.center
livechat-salesforce.com
mcointernal-okta.com
stargate-okta.com

# Reference: https://x.com/t43cr0wl3r/status/1836191001758646386
# Reference: https://pastebin.com/svE6Rz0N
# Reference: https://urlscan.io/search/#filename%3A%22WebResource.axd%22%20AND%20filename%3A%22MsAjaxJs%22%20AND%20filename%3A%22mdb.min.js%22

airtel-servicenow.com
alorica-cms.net
alorica-servicenow.net
alticeusa-helpdesk.com
asurioninc.net
atlassian-helpdesk.com
att-access.com
att-cso.com
att-login.net
att-portal.com
att-uid.org
attuid.net
attuid.org
beazley-sso.com
binance-sso.com
bnymellon-gateway.com
bnymellon-inc.com
bnymellon-internal.com
boxsso.com
cb-servicedesk.com
centerfieid.com
cgi-sso.com
channelportal-helpdesk.com
cms-dashboard.alorica.com
cognizant-sso.com
coinbase-sso.com
com-concentrix-postcv.online
comcast-schedule.com
comcast-schedules.com
comcast360.com
comcastschedule.com
concentrix-servicedesk.com
conduent-servicenow.com
corp-foundever.net
corpworkday.com
coxsso.com
cricket-sso.com
cricketwireiess.co
cricketwlreless.com
ctl-help.com
deiwarenorth.com
discord-sso.com
dropbox-corp.com
dxc-hr.com
ea-helpdesk.com
einstein-360.org
einstein360.net
einstein360.org
epic-servicedesk.com
evolution-sso.com
faneuli.com
fico-servicenow.com
fossil-sso.com
fox-internal.com
fox-sso.com
ibexsso.com
icare-sprint.com
icaresso.com
ienergizer-incidents.net
infocision.net
infosys-servicenow.com
infosys-servicenow.net
infosys-sso.com
infosys-sso.net
intuit-sso.com
jacksonhewitt-service.com
loreal-servicenow.com
loreal-sso.net
lowes-helpdesk.com
lowes-sso.com
macys-servicenow.com
macys-servicenow.net
macys-sso.com
macys-sso.net
mcolnteral.com
mod-sso.com
modsquad-sso.com
mongosso.com
msauth-setup.com
nuance-helpdesk.com
o2sso.com
oath-helpdesk.com
okta.cellularsaies.com
onetouchdlrect.net
onetouchsso.com
pacificlife-sso.net
paloaltonetworks-helpdesk.com
ping.taskus-sso.com
pldt-servicenow.net
preventphishing.net
quaifone.net
rbx-corp.com
rbx-servicedesk.com
recuriy.net
robinhood-servicedesk.com
rogers-helpdesk.net
servicenow-conduent.com
servicenow-ibex.com
servicenow-infosysapps.com
servicenow-sso.com
shopify-helpdesk.com
simpleidentity.help
singtel-corp.com
snapchat-sso.com
sprint-sso.net
sprlnt-sso.net
sprlnt.net
sprlnt.org
sprlntsso.com
sso-att.net
sso-sprint.com
sso-sprlnt.com
sso.ibexgiobal.com
ssoatt.com
ssorogers.com
ssotmo.com
stargatesso.com
sutheriandgiobal.com
sykes-agents.com
sykes-factor.com
syniverse-sso.com
syniverse-sso.net
teleperformance-incident.com
teleperformance-servicedesk.com
telint-helpdesk.com
telstra-sso.net
tmo.cx
tmobble.us
tmobie.org
transunion-sso.net
twiiiosso.com
twilio-sso.net
usceiiuiar.com
usceliuiar.com
wipro-inc.com
wiprohr.com
wlowes-sso.com
workingsolutions-corp.com
xub07-fdexwgl.us
yahoo-lnk.com
zd-corp.co
zd-corp.net
zdcorp.co
zdsso.net
zendesk-servicedesk.com
zendesk-sso.com
zendesk-sso.net
zendesksso.com

# Reference: https://x.com/banthisguy9349/status/1836787723065016678
# Reference: https://x.com/TLP_R3D/status/1837083934900789424

2-okta.com
account-okta.com
apexsumsol-okta.com
api-okta.com
apps.galaxydigital-okta.com
autoconfig.api-okta.com
autodiscover.api-okta.com
bitwise-okta.com
bitwise.bitwise-okta.com
campaignmonitor-okta.com
chia-okta.com
coinbase.reset-okta.com
corporatetools-okta.com
cosmotech.account-okta.com
dce-fleetdm.fleet-okta.com
deeptesting-okta.com
doodle-okta.com
example.hunters-okta.com
fleet-okta.com
flowdesk-okta.com
galaxydigital-okta.com
gravie-okta.com
hackerone-admin-okta.com
hackerone-okta.com
hubspot.login-okta.com
hunters-okta.com
iterable-okta.com
itbit-okta.com
jimdo-okta.com
kingston-okta.com
login-okta.com
login.corporatetools-okta.com
login.galaxydigital-okta.com
login.hunters-okta.com
login.jimdo-okta.com
login.login-okta.com
login.one.galaxydigital-okta.com
login.vice-okta.com
m.usaa-okta.com
mail.doodle-okta.com
mox-okta.com
mta-sts.api-okta.com
mx.doodle-okta.com
navi-okta.com
outlook.doodle-okta.com
reset-okta.com
scribe-api-okta.scribehow-okta.com
secure-okta.com
security-okta.com
shares-okta.com
squarespace-okta.com
tarsusrx-okta.com
turo.corporatetools-okta.com
usaa-okta.com
vice-okta.com
vice.vice-okta.com
yiwu-okta.com

# Reference: https://x.com/k3yp0d/status/1837769047204663338
# Reference: https://www.virustotal.com/gui/ip-address/199.247.14.229/relations
# Reference: https://www.virustotal.com/gui/ip-address/217.69.6.20/relations

amazonaws.work
eu-west-3.amazonaws.work
s3.amazonaws.work

# Reference: https://x.com/TLP_R3D/status/1838128760018673785

ultahub.com
ultainternal.com

# Reference: https://x.com/TLP_R3D/status/1838477165576196491

unchainedprod.com
unchainedprod-okta.com

# Reference: https://x.com/TLP_R3D/status/1843580380856856939
# Reference: https://x.com/ValidinLLC/status/1843605660086480927

bcbgroup-okta.com
condenast-hub-okta-emea.com
corporate-okta.com
gamestopinc-okta.com
help-okta.com
interceptpharma-okta.com
jumio-okta.com
kering-okta.com
louisvuitton-okta.com
nike-okta.com
okta-godaddy.com
okta-persona.com
okta-socure.com
oktamus-prime.com
persona-okta.com
revoke-okta.com
socure-okta.com

# Reference: https://x.com/TLP_R3D/status/1844109535759524070/history

incode-okta.com
okta-incode.com

# Reference: https://x.com/TLP_R3D/status/1844645314747080712
# Reference: https://www.virustotal.com/gui/ip-address/45.88.91.25/relations

dashboard-onelogin.com

# Reference: https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains
# Reference: https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/0ktapus_phishing.csv

account-sendgrid.com
account.kemper-support.com
account.klaviyo-hr.com
account.securian-hr.com
activecampainhr.com
acwa-apple.com
adasupport-okta.com
alchemy-okta.com
apple-vpn.com
auth-alchemy.com
calendar-dd.com
commonspiritcorp-okta.com
contact-sendgrid.com
corescientific-okta.com
dashboard-mailgun.com
dashsso.com
docusign-okta.com
docusignhq.net
forward-icloud.com
galaxy-okta.com
gofundme-okta.com
grayscale-okta.com
grid-review.com
hr-gnc.com
intercom-okta.com
klav-workday.com
klaviyo-vpn.com
login.ally-hr.com
login.block-hr.com
login.corporate-ally.com
login.corporate-pnc.com
login.doordash-support.com
login.grubhub-support.com
login.hr-intercom.com
login.klaviyo-hr.com
login.nfp-hr.com
login.rbx-hr.com
login.realogy-hr.com
login.securian-hr.com
login.synchronyfinanciai.com
login.thrivent-hr.com
login.transamerica-hr.com
login.unum-hr.com
login.unumhr.com
luno-okta.com
manageactivity-sendgrid.com
markel-hr.com
mgmresorts-okta.com
mixpanel-okta.com
nike-support.com
okta-blockdaemon.com
okta-campaignmonitor.com
okta-cbhq.net
okta-gamestop.com
okta-intercom.com
okta-nydig.com
okta-onsolve.com
okta-ouryahoo.com
okta-ripple.com
okta-twilio.com
okta-verify.com
okta.com.shortid.support
onsolve-okta.com
ouryahoo.okta.com.shortid.support
paxos-okta.com
rbx.okta.bio
rejectauth-sendgrid.com
resolveservicedesk.com
review-mailgun.com
ripple-okta.com
sendgrid-account.com
sendgrid-overview.com
servicenowprod.com
sessions-sendgrid.com
settings-okta.com
snapchat-okta.com
sso-falconx.com
sso-klaviyo.com
stargatesso-gemini.com
storewatch-tmobile.com
sunrise-crypto.com
sync-apple.com
tickets.zapto.org
twillio-sendgrid.com
typeform-okta.com
verify-mailgun.com
verify-tmobile.com
xapo-okta.com
ziffdavis-okta.com

# Reference: https://x.com/TLP_R3D/status/1856795029781774738
# Reference: https://www.linkedin.com/posts/academy-intel-ops_threathunting-cti-scatteredspider-activity-7262761054001057792-KNWp/

adfs-cardinalhealth.com
louisvitton-okta.com
pennkey-upenn.com
revolut-okta.com
weblogin.pennkey-upenn.com

# Reference: https://app.validin.com/detail?find=adfs-cardinalhealth.com&type=dom#tab=host_pairs

80-78-22-124.cprapid.com
host-80-78-22-124.njalla.net
boardacess.com
office.boardacess.com
convert-meeting.duckdns.org
send-forget.duckdns.org
shareportfolio.duckdns.org
warmedals.duckdns.org
website-sitemap.duckdns.org

# Reference: https://x.com/TLP_R3D/status/1857715116856271313
# Reference: https://x.com/TLP_R3D/status/1859860985227485539
# Reference: https://x.com/TLP_R3D/status/1859970433677926751
# Reference: https://www.virustotal.com/gui/ip-address/91.212.166.88/relations

auth-okta-iterable.com
iterable-internal.com
magiclink-okta.com

# Reference: https://x.com/WhichbufferArda/status/1859320516471030256
# Reference: https://x.com/WhichbufferArda/status/1859323657517953160

americafirstmobiie.com
mintmobiie.com
tmobiie.com
tmobiie.us
staging.tmobiie.com

# Reference: https://x.com/TLP_R3D/status/1861068253709185063

okta-snapchat.com

# Reference: https://x.com/TLP_R3D/status/1861076050848915785
# Reference: https://urlscan.io/search/#hash%3A4f415598183d3a6e31967b850a25a1a19c41b698e0695e2426a34ffa39d46f34

boardacess.com
okta-revolut.com

# Reference: https://x.com/WhichbufferArda/status/1861060536776999256
# Reference: https://urlscan.io/search/#hash%3A8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb

iuiuiemon.com
vision-victra.com

# Reference: https://x.com/TLP_R3D/status/1873000180716376261
# Reference: https://www.virustotal.com/gui/ip-address/185.196.10.89/relations

sts-okta.com
takeaway-okta.com
grubhub.sts-okta.com
login.takeaway-okta.com
logitech.sts-okta.com
lyft.sts-okta.com
tinder.sts-okta.com
turo.sts-okta.com
workday.takeaway-okta.com

# Reference: https://x.com/lontze7/status/1882367142823367121

okta-louisvuitton.com

# Reference: https://x.com/ValidinLLC/status/1904823536507597240
# Reference: https://www.validin.com/blog/pulling_threads_on_phishing_campaign/
# Reference: https://app.validin.com/detail?find=Cloudflare%20Captcha&type=raw&ref_id=59ae4f5ec75#tab=host_pairs (# 2025-03-29)

amazonturkie.net
asset-hyperliquid.com
cm-verificatie.com
eigenlayer-assets.com
falseadvertisinginposts.com
firmware-llive.com
firmware-server12.com
flo-sot.org
flur-fhs.net
hubservices-crm.com
iiiuvium-io.com
liquitidy-pepe.com
live-sso.com
loginportal-sendgrid.net
mail-chimpservices.com
mailchimp-ssologin.com
pay-bancontact.com
portal.sendgridssoservices.com
redirect-sso.com
sendgridssoservices.com
server12-mchimp.com
server9-hubspot.com
server9-mailgun.com
server9-sendgrid.net
sso-account.com
sso-loginservices.com
sso-signon.com
sso-walletmanager.com
support.loginportal-sendgrid.net
swell-assets.com
worldofmobile.top

# Refrence: https://app.validin.com/detail?type=hash&find=e62b574d06923e36af33f7be0a4a57aa#tab=host_pairs

account-mailgun.com

# Reference: https://app.validin.com/detail?type=hash&find=9e17f7847085a9302e40c87789155ad8#tab=host_pairs

account-sendgrld.com
authentication-sendgrid.com
dev-sendgrid.com
ftm-wallet.com
help-sendgrid.com
jtfersion.com
kineomager.net
payment-sendgrid.com
secure-sendgrld.com
services-sendgrid.com

# Reference: https://x.com/silentpush/status/1906552060213944395
# Reference: https://app.silentpush.com/shared/3444ce10-8d54-48a1-a981-4f8a7957517a/

okta-experian.com
root.okta-experian.com

# Reference: https://www.silentpush.com/blog/poisonseed/
# Reference: https://app.validin.com/detail?find=Cloudflare%20Captcha&type=raw&ref_id=06b040b1779#tab=host_pairs (# 2025-04-04)

account-sso-login.com
account-ssoservices.com
active-mailgun.com
activisionsuport.com
barefoots-api.com
cloudflare-sendgrid.com
complete-sendgrid.com
connect1-coinbase.com
connect5-coinbase.com
firmware-llive.com
google-sso-login.com
inquiry-loginp.com
iosjdfsmdkf.com
myaccount-hbspot.com
mysite-clflre.com
mysrver-chbackend.com
mysso-accounts.com
mysso-accountservices.com
myw-cbw.com
mywallet-cbsmartw.com
mywallet-cbsmw.com
mywallet-cbupgrade.com
nikafk244.com
password-proxy-redirect.com
response-crmsg.com
response-loginportal.com
response16-sendgrid.com
response20-sendgrid.com
responseinquiry-tos.com
responsesendgrid.com
review-termsconditions.com
revokecblink.com
rseponse-manageprod.com
rseponse25-sendgrid.com
rseponsequery.com
support-zoho.com
swallet-coinbase.com

# Reference: https://www.silentpush.com/blog/scattered-spider-2025/

7-eleven-hr.com
activecampiagn.net
bestbuy-cdn.com
birdsso.com
citrix-okta.com
corp-asurion.com
corp-hubspot.com
cts-comcast.com
duelbits-cdn.com
gryscale-ox0d.com
gucci-cdn.com
iyft.net
morningstar-okta.com
mytsl.net
okta-ziffdavis.com
pure-okta.com
signin-nydig.com
simpletexting-cdn.com
sso-instacart.com
sts-vodafone.com
sytemstern.net
x-sso.com