# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: scattered spider, unc3944, roasted oktapus, scatter swine, octo tempest, muddled libra, aa24-241a, pay2key, fox kitten, pioneer kitten, unc757, parisite, rubidium, lemon sandstorm, lucr-3, storm-0875, starfraud # Reference: https://blog.group-ib.com/0ktapus # Reference: https://otx.alienvault.com/pulse/6307925a7f9aa39ee9c66d3b # Reference: https://www.virustotal.com/gui/ip-address/45.32.212.77/relations activecampaign-okta.com alorica-vpn.com arise-okta.com at-uid.com atento-help.com att-citrix.com att-citrix.net att-ctx.com att-id.net att-mfa.com att-opus.net att-rsa.com att-sso.com att-sso.net att-support.org att-uid.co att-uid.com att-uid.net att-vmware.com att-vpn.com att-vpn.org bandwidth-okta.com bestbuy-vpn.com binance-okta.com box-okta.org boxokta.com cb-okta.com cb-okta.net cgslnc-okta.com cloudflare-okta.com coin-base-okta.com concentrix-sso.com concentrixhelp.com concentrlx.com conexusonline.com corp-att.net customer-internal.com epicgames-okta.com epicgames-vpn.com evernote-onelogin.com hubspot-sso.com infosys-vpn.com intercom-vpn.com internai-customer.io iqor-duo.com iqor-duo.net iqor-help.com iqor-help.net iqor-helpdesk.com iqor-portal.com iqor-sso.com iqor-sso.net iqor-tmobile.com klaviyo-sso.com kucoin-pin.com kucoin-pin.net kucoin-sso.com kucoin-sso.net kucoinpin.com kucoinpin.net loginxarth.tv maiichlmp.com mailchimp-help.com mailchimp-okta.com mailchimp-sso.com mailgun-okta.com manpowergroup-sso.com mcsupport-okta.com medailia-okta.com metropcs-edge.net microsoft-sso.net mlcrosoft.cloud mlcrosoft.info mytpusa.com mytpusa.net okta-drop.com okta-hubspot.com okta-oath.com okta-riotgames.com okta-sso.net okta-tmo.org okta-tmobiie.net okta-tmobile.org one-login.co opus-att.com ouryahoo-okta.com ouryahoo-okta.net ouryahoo-okta.org ouryahooinc-okta.com quaifon.com quaifone.com qualfon-sso.com riotgames-okta.com riotgames-vpn.com riotgames-vpn.net rogers-help.net rogers-rci.com rogers-rci.net rogers-sso.com rogers-sso.net rogers-ssp.com sendgrid-okta.org sinch-sso.com sitel-help.com sitel-sso.com sitel-vpn.net slack-mailchimp.com snap-okta.com snap-okta.net sprint-idg.net squarespacehr.com startek-vpn.com sutherlandglobal-vpn.com sykes-help.com sykes-sso.com sykes-vpn.com t-mobiie.co t-mobiie.net t-mobiie.org t-mobile-okta.com t-mobile-okta.net t-mobile-okta.org t-mobile-okta.us t-mobile-sso.net t-mobilers.com t-moblie-okta.com t-moblie.help t-moblier.org t-moblle.org taskus-sso.com taskus-vpn.com techmahindra-sso.com teleperformance-help.com teleperformance-sso.com teleperformance-usa.net teleperformanceusa-sso.com telus-sso.com tmo-okta.com tmo-sso.com tmo-sso.net tmobie.net tmobile-okta.com tmobile-okta.net tmobiler.net tmoble.net tmoblie.net tmoblle.co tmoblle.net tmoblle.org tp-update.com tp-usa.net tpusa-citrix.com transcom-help.com transcom-sso.com ttec-help.com ttec-sso.com ttec-vpn.com ttecvpn.com twiiio-okta.net twiiio-sso.com twiiio.net twiiio.org twilio-help.com twilio-okta.com twilio-sso.com twit-vpn.com twitter-okta.com twlilo.net uid-att.com uscc-hr.com verizon-sso.net vzw-corp.net vzwcorp.co okta.tmobiie.net # Reference: https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/ activecampaign-hr.com activecampaignhr.com activesso.com actlvecampaign.net aflac-hr.com allstate-hr.com ally-hr.com amica-hr.com applesso.com assurionsso.net asurion-idp.com asurionsso.com athene-usa.com bbt-hr.com bbt-work.com bbtcorp.net bbtemps.com bbthour.com bbtplus.com bbtvpn.com bell-hr.com block-hr.com block-sso.com bn-sso.com cashsso.com cellularhr.com cellularsaies.com cellularsso.com cgsinchr.com charter-vpn.com chartervpn.com cinfin-hr.com clicksend-staging.com cofelyvision.com connect-asurion.net connect-cox.com connect-sso.com corp-cox.com corp-foundever.com corporate-ally.com corporate-huntington.com corporate-pnc.com costsso.com desksso.com doordash-support.com eclerx-sso.com fidelitysso.com fireblocks-sso.com five9-hr.com foundever-sso.com freshdesksso.com freshworks-sso.net freshworksso.com gemini-sso.com gitlabhr.com gitlabsso.com grubhub-support.com grubhubsso.com hanover-hr.com hr-intercom.com hubsso.net ibexgiobal.com iliad-sso.com infobbt.com intercom-hr.com intercomsso.net kemper-support.com klaviyo-hr.com klaviyocorp.net klavlyo.com linkedinsso.com login.suniife.com mercury-hr.com mutualofomaha-hr.com my-tsl.com my-tsl.net my-twilio.com myworkspaceinfo.com newyorklifehr.com nfp-hr.com on-sinch.com orange-sso.com podium-hr.com podiumsso.com postmarksso.com prntsrc.net rbx-hr.com rbxhr.net realogy-hr.com recurlysso.com roblox-hrs.com sec-sso.net securian-hr.com sharing-folders.com sinchdev.com singtei.net square-sso.com squarespace-hr.com ssopodium.com ssotelnyx.com stargate-sso.com supporthub-iqor.com synchronyfinanciai.com teiekom.net telesignhr.com telnyx-sso.com telnyxsso.com thrivent-hr.com transamerica-hr.com truecorphr.net trustsso.com unum-hr.com unumhr.com uscchr.com usccplus.com uscell.net uscellular-hr.com uscellular-sso.com uscellularhr.com victrasso.com vz-hr.com vzapps-vzn.com walmartsso.com walmartworkspace.com workatbbt.com yourbbt.com zen-sso.com zendesklt.com # Reference: https://x.com/k3yp0d/status/1828903531664855489 # Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a # Reference: https://app.validin.com/detail?find=45.76.65.42&type=ip4&ref_id=725dc1eb270#tab=resolutions # Reference: https://www.virustotal.com/gui/ip-address/206.71.148.78/relations # Reference: https://www.virustotal.com/gui/ip-address/45.9.148.77/relations # Reference: https://www.virustotal.com/gui/ip-address/78.141.238.182/relations api.gupdate.net app-api.team.beta.btest.cloud app.team.beta.btest.cloud beta.btest.cloud btest.cloud cloud.sophos.one forticloud.online fortigate.forticloud.online git-lab.net githubapp.net glthub.ddns.net gupdate.net hostmaster.git-lab.net login.forticloud.online sophos.one # Reference: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries authenticate-bt.com creditkarma-help.com ibexglobai.com revolut-ticket.com servicenow-help.com login.five9-hr.com login.uscc-hr.com # Reference: https://x.com/ValidinLLC/status/1835644171459117398 # Reference: https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/ expediagroup-servicenow.com freshworks-hr.com okta-247.com pfchangs-support.com servicenow-hrblock.com 247-inc.okta-247.com account.freshworks-hr.com account.pfchangs-support.com account.servicenow-hrblock.com login.freshworks-hr.com login.okta-247.com login.pfchangs-support.com login.servicenow-hrblock.com # Reference: https://x.com/TLP_R3D/status/1836737521260109998 acwa-internal.com applerevoke.com binance-us-okta.com coinbase-okta.com consensys-okta.com eu-apple.center livechat-salesforce.com mcointernal-okta.com stargate-okta.com # Reference: https://x.com/t43cr0wl3r/status/1836191001758646386 # Reference: https://pastebin.com/svE6Rz0N # Reference: https://urlscan.io/search/#filename%3A%22WebResource.axd%22%20AND%20filename%3A%22MsAjaxJs%22%20AND%20filename%3A%22mdb.min.js%22 airtel-servicenow.com alorica-cms.net alorica-servicenow.net alticeusa-helpdesk.com asurioninc.net atlassian-helpdesk.com att-access.com att-cso.com att-login.net att-portal.com att-uid.org attuid.net attuid.org beazley-sso.com binance-sso.com bnymellon-gateway.com bnymellon-inc.com bnymellon-internal.com boxsso.com cb-servicedesk.com centerfieid.com cgi-sso.com channelportal-helpdesk.com cms-dashboard.alorica.com cognizant-sso.com coinbase-sso.com com-concentrix-postcv.online comcast-schedule.com comcast-schedules.com comcast360.com comcastschedule.com concentrix-servicedesk.com conduent-servicenow.com corp-foundever.net corpworkday.com coxsso.com cricket-sso.com cricketwireiess.co cricketwlreless.com ctl-help.com deiwarenorth.com discord-sso.com dropbox-corp.com dxc-hr.com ea-helpdesk.com einstein-360.org einstein360.net einstein360.org epic-servicedesk.com evolution-sso.com faneuli.com fico-servicenow.com fossil-sso.com fox-internal.com fox-sso.com ibexsso.com icare-sprint.com icaresso.com ienergizer-incidents.net infocision.net infosys-servicenow.com infosys-servicenow.net infosys-sso.com infosys-sso.net intuit-sso.com jacksonhewitt-service.com loreal-servicenow.com loreal-sso.net lowes-helpdesk.com lowes-sso.com macys-servicenow.com macys-servicenow.net macys-sso.com macys-sso.net mcolnteral.com mod-sso.com modsquad-sso.com mongosso.com msauth-setup.com nuance-helpdesk.com o2sso.com oath-helpdesk.com okta.cellularsaies.com onetouchdlrect.net onetouchsso.com pacificlife-sso.net paloaltonetworks-helpdesk.com ping.taskus-sso.com pldt-servicenow.net preventphishing.net quaifone.net rbx-corp.com rbx-servicedesk.com recuriy.net robinhood-servicedesk.com rogers-helpdesk.net servicenow-conduent.com servicenow-ibex.com servicenow-infosysapps.com servicenow-sso.com shopify-helpdesk.com simpleidentity.help singtel-corp.com snapchat-sso.com sprint-sso.net sprlnt-sso.net sprlnt.net sprlnt.org sprlntsso.com sso-att.net sso-sprint.com sso-sprlnt.com sso.ibexgiobal.com ssoatt.com ssorogers.com ssotmo.com stargatesso.com sutheriandgiobal.com sykes-agents.com sykes-factor.com syniverse-sso.com syniverse-sso.net teleperformance-incident.com teleperformance-servicedesk.com telint-helpdesk.com telstra-sso.net tmo.cx tmobble.us tmobie.org transunion-sso.net twiiiosso.com twilio-sso.net usceiiuiar.com usceliuiar.com wipro-inc.com wiprohr.com wlowes-sso.com workingsolutions-corp.com xub07-fdexwgl.us yahoo-lnk.com zd-corp.co zd-corp.net zdcorp.co zdsso.net zendesk-servicedesk.com zendesk-sso.com zendesk-sso.net zendesksso.com # Reference: https://x.com/banthisguy9349/status/1836787723065016678 # Reference: https://x.com/TLP_R3D/status/1837083934900789424 2-okta.com account-okta.com apexsumsol-okta.com api-okta.com apps.galaxydigital-okta.com autoconfig.api-okta.com autodiscover.api-okta.com bitwise-okta.com bitwise.bitwise-okta.com campaignmonitor-okta.com chia-okta.com coinbase.reset-okta.com corporatetools-okta.com cosmotech.account-okta.com dce-fleetdm.fleet-okta.com deeptesting-okta.com doodle-okta.com example.hunters-okta.com fleet-okta.com flowdesk-okta.com galaxydigital-okta.com gravie-okta.com hackerone-admin-okta.com hackerone-okta.com hubspot.login-okta.com hunters-okta.com iterable-okta.com itbit-okta.com jimdo-okta.com kingston-okta.com login-okta.com login.corporatetools-okta.com login.galaxydigital-okta.com login.hunters-okta.com login.jimdo-okta.com login.login-okta.com login.one.galaxydigital-okta.com login.vice-okta.com m.usaa-okta.com mail.doodle-okta.com mox-okta.com mta-sts.api-okta.com mx.doodle-okta.com navi-okta.com outlook.doodle-okta.com reset-okta.com scribe-api-okta.scribehow-okta.com secure-okta.com security-okta.com shares-okta.com squarespace-okta.com tarsusrx-okta.com turo.corporatetools-okta.com usaa-okta.com vice-okta.com vice.vice-okta.com yiwu-okta.com # Reference: https://x.com/k3yp0d/status/1837769047204663338 # Reference: https://www.virustotal.com/gui/ip-address/199.247.14.229/relations # Reference: https://www.virustotal.com/gui/ip-address/217.69.6.20/relations amazonaws.work eu-west-3.amazonaws.work s3.amazonaws.work # Reference: https://x.com/TLP_R3D/status/1838128760018673785 ultahub.com ultainternal.com # Reference: https://x.com/TLP_R3D/status/1838477165576196491 unchainedprod.com unchainedprod-okta.com # Reference: https://x.com/TLP_R3D/status/1843580380856856939 # Reference: https://x.com/ValidinLLC/status/1843605660086480927 bcbgroup-okta.com condenast-hub-okta-emea.com corporate-okta.com gamestopinc-okta.com help-okta.com interceptpharma-okta.com jumio-okta.com kering-okta.com louisvuitton-okta.com nike-okta.com okta-godaddy.com okta-persona.com okta-socure.com oktamus-prime.com persona-okta.com revoke-okta.com socure-okta.com # Reference: https://x.com/TLP_R3D/status/1844109535759524070/history incode-okta.com okta-incode.com # Reference: https://x.com/TLP_R3D/status/1844645314747080712 # Reference: https://www.virustotal.com/gui/ip-address/45.88.91.25/relations dashboard-onelogin.com # Reference: https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains # Reference: https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/0ktapus_phishing.csv account-sendgrid.com account.kemper-support.com account.klaviyo-hr.com account.securian-hr.com activecampainhr.com acwa-apple.com adasupport-okta.com alchemy-okta.com apple-vpn.com auth-alchemy.com calendar-dd.com commonspiritcorp-okta.com contact-sendgrid.com corescientific-okta.com dashboard-mailgun.com dashsso.com docusign-okta.com docusignhq.net forward-icloud.com galaxy-okta.com gofundme-okta.com grayscale-okta.com grid-review.com hr-gnc.com intercom-okta.com klav-workday.com klaviyo-vpn.com login.ally-hr.com login.block-hr.com login.corporate-ally.com login.corporate-pnc.com login.doordash-support.com login.grubhub-support.com login.hr-intercom.com login.klaviyo-hr.com login.nfp-hr.com login.rbx-hr.com login.realogy-hr.com login.securian-hr.com login.synchronyfinanciai.com login.thrivent-hr.com login.transamerica-hr.com login.unum-hr.com login.unumhr.com luno-okta.com manageactivity-sendgrid.com markel-hr.com mgmresorts-okta.com mixpanel-okta.com nike-support.com okta-blockdaemon.com okta-campaignmonitor.com okta-cbhq.net okta-gamestop.com okta-intercom.com okta-nydig.com okta-onsolve.com okta-ouryahoo.com okta-ripple.com okta-twilio.com okta-verify.com okta.com.shortid.support onsolve-okta.com ouryahoo.okta.com.shortid.support paxos-okta.com rbx.okta.bio rejectauth-sendgrid.com resolveservicedesk.com review-mailgun.com ripple-okta.com sendgrid-account.com sendgrid-overview.com servicenowprod.com sessions-sendgrid.com settings-okta.com snapchat-okta.com sso-falconx.com sso-klaviyo.com stargatesso-gemini.com storewatch-tmobile.com sunrise-crypto.com sync-apple.com tickets.zapto.org twillio-sendgrid.com typeform-okta.com verify-mailgun.com verify-tmobile.com xapo-okta.com ziffdavis-okta.com # Reference: https://x.com/TLP_R3D/status/1856795029781774738 # Reference: https://www.linkedin.com/posts/academy-intel-ops_threathunting-cti-scatteredspider-activity-7262761054001057792-KNWp/ adfs-cardinalhealth.com louisvitton-okta.com pennkey-upenn.com revolut-okta.com weblogin.pennkey-upenn.com # Reference: https://app.validin.com/detail?find=adfs-cardinalhealth.com&type=dom#tab=host_pairs 80-78-22-124.cprapid.com host-80-78-22-124.njalla.net boardacess.com office.boardacess.com convert-meeting.duckdns.org send-forget.duckdns.org shareportfolio.duckdns.org warmedals.duckdns.org website-sitemap.duckdns.org # Reference: https://x.com/TLP_R3D/status/1857715116856271313 # Reference: https://x.com/TLP_R3D/status/1859860985227485539 # Reference: https://x.com/TLP_R3D/status/1859970433677926751 # Reference: https://www.virustotal.com/gui/ip-address/91.212.166.88/relations auth-okta-iterable.com iterable-internal.com magiclink-okta.com # Reference: https://x.com/WhichbufferArda/status/1859320516471030256 # Reference: https://x.com/WhichbufferArda/status/1859323657517953160 americafirstmobiie.com mintmobiie.com tmobiie.com tmobiie.us staging.tmobiie.com # Reference: https://x.com/TLP_R3D/status/1861068253709185063 okta-snapchat.com # Reference: https://x.com/TLP_R3D/status/1861076050848915785 # Reference: https://urlscan.io/search/#hash%3A4f415598183d3a6e31967b850a25a1a19c41b698e0695e2426a34ffa39d46f34 boardacess.com okta-revolut.com # Reference: https://x.com/WhichbufferArda/status/1861060536776999256 # Reference: https://urlscan.io/search/#hash%3A8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb iuiuiemon.com vision-victra.com # Reference: https://x.com/TLP_R3D/status/1873000180716376261 # Reference: https://www.virustotal.com/gui/ip-address/185.196.10.89/relations sts-okta.com takeaway-okta.com grubhub.sts-okta.com login.takeaway-okta.com logitech.sts-okta.com lyft.sts-okta.com tinder.sts-okta.com turo.sts-okta.com workday.takeaway-okta.com