# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: APT-LY-1007, CloudFall, CyrillicRAT # Note: something is wrong with the connection between cloud atlas and red october (https://securelist.com/recent-cloud-atlas-activity/92016/) # Reference: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/ webdav.cloudme.com/bimm4276/CloudDrive/ # Reference: https://securelist.com/recent-cloud-atlas-activity/92016/ # Reference: https://otx.alienvault.com/pulse/5d5176f09f3f84634e1f0227 http://144.217.174.57 http://176.31.59.232 # Reference: https://twitter.com/Vishnyak0v/status/1197402642651193345 newoffice-template.com # Reference: https://twitter.com/jfslowik/status/1340352860274393088 # Reference: https://twitter.com/ShadowChasing1/status/1359127027438112773 # Reference: https://www.virustotal.com/gui/file/21ff553d752df93e10e45d0393eb097d5231346737e786ab8ad41324c299342a/detection ms-officeupdate.com # Reference: https://twitter.com/kyleehmke/status/1359531943252140040 # Reference: https://twitter.com/ShadowChasing1/status/1362359220046192640 # Reference: https://www.virustotal.com/gui/file/46c203cf15a4126f10b3933376215063fe385aba3be971d63fc4e7be34aaf171/detection ms-update.org # Reference: https://twitter.com/jfslowik/status/1363255047929294853 eurasia-research.org ms-template.com # Reference: https://twitter.com/h2jazi/status/1363918659534659587 # Reference: https://www.virustotal.com/gui/file/668236000a483b1735b7f8e244ae867804ee20fbd18e07860d1764a30e3ba60d/detection http://139.60.161.74/appalcanedentrecentlyconvergenting.png http://217.182.9.185/appalcanedentrecentlyconvergenting.png # Reference: https://twitter.com/ShadowChasing1/status/1364435382683668484 # Reference: https://www.virustotal.com/gui/file/439032cbee22ae75cce7e2340ca7ffe521dce3e18702ccd703cc5849dbf8954b/detection /referential5refugee0douglas4modulate5trio7 # Reference: https://twitter.com/ShadowChasing1/status/1364436330894135297 # Reference: https://www.virustotal.com/gui/file/4011b1fff8c088fcb4ac4a05a5a156912162293bbda8147597a41e09725b3ebf/detection /validate7condom7rapids9simoom9 # Reference: https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas http://139.60.161.74/appalcanedentrecentlyconvergenting.png http://185.70.184.32/soarnegroidmeanalkydapresowntipslushing.png # Reference: https://twitter.com/kyleehmke/status/1366796835541684224 ms-officeupdate.org # Reference: https://twitter.com/ShadowChasing1/status/1391788670349287425 # Reference: https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify # Reference: https://otx.alienvault.com/pulse/5fb8172cdb6535bd6935bfd6 # Reference: https://www.virustotal.com/gui/file/e5b76a3ec4c9b0a42ec953022b5d64f61e7cd64f78ea0cb7170b7882ffb180b6/detection 2020-windows.com azureblog.info brexitimpact.com doc-fid.com e-government-pk.com e-govoffice.com get-news-online.com gmocloudhosting.com interior-gov.com iphoneupdatecheck.com live-media.org liveinfo.org log1inbox.com ms-check-new-update.com msofficeupdate.com msofficeupdate.org msupdatecheck.com netserviceupdater.com new-office.org newoffice-template.com newoffice-update.com newupdate.org officeupgrade.org petronas-me.com rarnbler.com rneil.ru srv3-serveup-ads.net template-new.com template-office.org tls-login.com update-office.com upgrade-office.com upgrade-office.org user-twitter.com weather-server.net # Reference: https://twitter.com/h2jazi/status/1453748348964548617 # Reference: https://www.virustotal.com/gui/file/9e23a08981ae336068905c771754f7ea26b19d3d978b1bd554a4202a165b3072/detection checklicensekey.com # Reference: https://twitter.com/ShadowChasing1/status/1469145795723071492 # Reference: https://twitter.com/ShadowChasing1/status/1468924565653159942 # Reference: https://www.virustotal.com/gui/ip-address/185.117.91.175/relations # Reference: https://www.virustotal.com/gui/file/309ba0a33ecf3e123bc3e539a5443b5b633a135c3fc44fd0941d520fee39afb1/detection # Reference: https://www.virustotal.com/gui/file/60e9222f464cc99014a909ca4548cf38b20c7a5bbd80714dfd95ce89842be7db/detection msdocumentviever.com # Reference: https://www.zscaler.com/blogs/security-research/cloudfall-targets-researchers-and-scientists-invited-international-military # Reference: https://www.virustotal.com/gui/file/d911e17b3628471713adeac2c86ad429d4e873dacfa13a10ed9a316c49ed63b0/detection advancestore.workers.dev dc-microsoft.workers.dev digitalstorage.workers.dev fetrikekke531.workers.dev jerkufetra754.workers.dev microsoft-365.workers.dev microsoft-cloud.workers.dev office365online.workers.dev office365-cloud.workers.dev publicserver.workers.dev repository.workers.dev api.office365online.workers.dev asia.office365-cloud.workers.dev cloud.digitalstorage.workers.dev curly-waterfall-360d.fetrikekke531.workers.dev documents.publicserver.workers.dev eu.microsoft-365.workers.dev falling-haze-1812.jerkufetra754.workers.dev falling-haze-1813.jerkufetra754.workers.dev mirror.advancestore.workers.dev office365.dc-microsoft.workers.dev office365.microsoft-cloud.workers.dev plug.repository.workers.dev virustotall-360d.fetrikekke531.workers.dev # Reference: https://twitter.com/h2jazi/status/1592158351475240962 # Reference: https://www.virustotal.com/gui/file/b1a2eb532c461ff2faa4ec9edf44d2ef5678ee1a84a8779866ad64fa8b52065e/detection # Reference: https://www.virustotal.com/gui/file/8217e38b3dba43d88b397aa0de945eba2efa5884a98b127fd611e426091e56f5/detection # Reference: https://www.virustotal.com/gui/file/1b3a85d596d65e0101eeddd539cec587fec4ca3b7c08469712c3964f8202a39e/detection # Reference: https://www.virustotal.com/gui/file/12f9dcdfea0520436e8c5749fbefedc7675e74b73c97a1bcaf1ecce64f12ed19/detection protocol-list.com /shab/haftarot/s /shab/haftarot/ # Reference: https://twitter.com/h2jazi/status/1595787712996556800 # Reference: https://www.virustotal.com/gui/file/186289754f499c26aa66f9305f792ae4a85a9b9946bc5b4dcbb9eeb1632709cd/detection remote-convert.com /Access/acrydium/osteectomies /Access/acrydium/ # Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/ api-help.com comparelicense.com driver-updated.com mynewtemplate.com new-template.com sync-firewall.com system-logs.com technology-requests.net translate-news.net # Reference: https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/ desktoppreview.com driversolution.net gettemplate.org support-app.net # Reference: https://twitter.com/felixaime/status/1601257303080308739 # Reference: https://twitter.com/felixaime/status/1601257305294921728 driver-key.com microsoftsample.com reload-config.com safety-key.org web-digest.com # Reference: https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/ # Reference: https://www.virustotal.com/gui/ip-address/192.153.57.83/relations # Reference: https://www.virustotal.com/gui/ip-address/91.210.104.54/relations # Reference: https://www.virustotal.com/gui/file/12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a/detection # Reference: https://www.virustotal.com/gui/file/cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541/detection # Reference: https://www.virustotal.com/gui/file/ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d/detection 168.100.11.142:443 fatobara.com microsftupdetes.com mirror-exchange.com rostec.digital windowsipdate.com # Reference: https://twitter.com/RedDrip7/status/1613806512211910657 # Reference: https://twitter.com/RedDrip7/status/1613806655418028034 # Reference: https://www.virustotal.com/gui/file/36cbd8eb24aa60809e67c85f17151b0783632949fb4a387b5e9035fc227221c0/detection # Reference: https://www.virustotal.com/gui/file/141b2c01f4fb9326fc60690cf7d36a2b35b9cc9e1ee520c3470192a76c18cb74/detection cortanaupdater.info exactsynchtime.ru # Reference: https://twitter.com/h2jazi/status/1618347920792907777 # Reference: https://www.virustotal.com/gui/file/176b336f425bc15651672f96f70149873b10a3badfa040c8943bfe54955e043d/detection # Reference: https://www.virustotal.com/gui/file/6501dd570761f2bd3eff4e3416baef57c2ff514b8dd35c9c80a37e2d489d714f/detection # Reference: https://www.virustotal.com/gui/file/9f8d3ee51af949ae15ca18c6fdd8e6f2d1c7970c8265bd5bb2bb2d92d358c04a/detection archive-downloader.com cloud.archive-downloader.com # Reference: https://twitter.com/k3yp0d/status/1618539713228574721 # Reference: https://www.virustotal.com/gui/file/ddeb109a97e3689b63d4ee848d4c23b0646c8070badebcc852577be0b64c7397/detection e-aks.uz # Reference: https://twitter.com/k3yp0d/status/1618541802675646464 # Reference: https://www.virustotal.com/gui/file/283348e93ef616a130f3bdf313499c861c9d9f22929b795abc57a5ba5b1c508f/detection becloud.website # Reference: https://twitter.com/kyleehmke/status/1628419317103460359 # Reference: https://www.virustotal.com/gui/ip-address/5.101.66.135/relations windows-srv.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-04-13-v10297/477 # Reference: https://www.virustotal.com/gui/file/dc1a0b4aa62729ec12c52ccdfb6011f87f38b5441e792b4ae06fe4b07ff8c7fe/detection # Reference: https://www.virustotal.com/gui/file/82f76dca581ccddac695170b0c9d4e278cc6a75dd8213d41505c775a6bec9675/detection agent-group.org supportpanel.agent-group.org # Reference: https://twitter.com/StopMalvertisin/status/1648213776112717827 # Reference: https://twitter.com/StopMalvertisin/status/1648213782957809666 # Reference: https://twitter.com/RexorVc0/status/1651201212480466945 # Reference: https://mp-weixin-qq-com.translate.goog/s/bOJ88Zzk27ZaHShlYUCYgA?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp # Reference: https://www.virustotal.com/gui/file/4aac08bbead6b3e3695f588e2c6d9ea738ff909aa3e38ddb6fdaf3546ee19139/detection # Reference: https://www.virustotal.com/gui/file/1d03a3cd25fb95bc52f557df31100250768107bad146f1793785e8b630dee67c/detection # Reference: https://www.virustotal.com/gui/file/d1d602cd4aacef412d97640f3a030516a441300bd80dfaef383140f1998686a8/detection 5.252.179.45:55000 http-updater.hs.vc teexgjvvhuab.webhop.me # Reference: https://twitter.com/t3ft3lb/status/1651154256294977537 # Reference: https://www.virustotal.com/gui/file/95cc7af0dbb0b927ab369621d62e87938b50e48f54779b10657681a0f70b8ac1/detection host-tools.net /?zboard_zboard.php?id= # Reference: https://twitter.com/suyog41/status/1661254437216583683 # Reference: https://www.virustotal.com/gui/file/e49b6200b408e1fc2c3886805d4a1b1e5fcc43ac6efe71f803070927ef94a181/detection yandexbraveupdateinfo.net # Reference: https://twitter.com/t3ft3lb/status/1665686960764067840 # Reference: https://www.virustotal.com/gui/file/a4ab42ae16cc044ecd5c0bd91cc13beded61ab848502c356691fb27c8b7cec61/detection wireless-log.net managements.wireless-log.net # Reference: https://twitter.com/suyog41/status/1673215056287285249 # Reference: https://www.virustotal.com/gui/file/708c2eb5a979cbfa8e240679282a37835daafd37b30ecce722be28861996cf35/detection msk-gov.com # Reference: https://twitter.com/FF1565166422/status/1645252984643932160 # Reference: https://twitter.com/StopMalvertisin/status/1676260222573375491 # Reference: https://www.virustotal.com/gui/file/ae2a3b4bc5c1c5b7419c9daa3e32e8896132b970ab3c46d059e1696896e86498/detection # Reference: https://www.virustotal.com/gui/file/a9279ccd0bfc953a8acc4b134235902debe7f2b5cbb8aaf5a5549752c416e542/detection 185.252.147.12:443 185.252.147.12:5612 185.252.147.12:5800 infovesty.ru # Reference: https://twitter.com/suyog41/status/1706618278066434180 # Reference: https://www.virustotal.com/gui/ip-address/188.120.249.17/relations # Reference: https://www.virustotal.com/gui/file/fbb6d99412b83621dc8f5293d42ebc75546d9144cab5f43fddc40d3f0c61daac/detection # Reference: https://www.virustotal.com/gui/file/e3be669caa13562d293c4523251319b30ccc0d702c11e903233ac1c4e7bf94ec/detection # Reference: https://www.virustotal.com/gui/file/d2b621ee0bda40eaa43f55e697d79cc36feba09a2027c2eb9437c910eb551558/detection # Reference: https://www.virustotal.com/gui/file/4b47793851c3844e5344e703618a3addfab2d3cb2b1debcd8682c423f7f6887b/detection # Reference: https://www.virustotal.com/gui/file/2600c984ac0571a72882cf12de449cde44cbf9cf42b365965e5b3fd3ceeb2d96/detection softcillection.com # Reference: https://twitter.com/t3ft3lb/status/1717545342294528309 # Reference: https://www.virustotal.com/gui/ip-address/95.217.82.125/relations # Reference: https://www.virustotal.com/gui/file/e3d2e6f8740bc5a510239af41e77a3e07eaf09f1aa5cda78558035399db3f971/detection network-list.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-12-19-v10489/1221 avito-service.net # Reference: https://twitter.com/t3ft3lb/status/1759849432936272143 # Reference: https://www.virustotal.com/gui/ip-address/146.19.143.25/relations # Reference: https://www.virustotal.com/gui/ip-address/192.254.79.69/relations # Reference: https://app.any.run/tasks/094820ce-042b-435f-9ce2-2d65c539dafd/ # Reference: https://www.virustotal.com/gui/file/5af1214fc0ca056e266b2d093099a3562741122f32303d3be7105ce0c2183821/detection # Reference: https://www.virustotal.com/gui/file/97c1b67ca33790ff7656496b7511a80c1b3c2c116bce4278700be854bd5519c2/detection # Reference: https://www.virustotal.com/gui/file/b4c0902a9fb29993bc7573d6e84547d0393c07e011f7b633f6ea3a67b96c6577/detection # Reference: https://www.virustotal.com/gui/file/d54b1ddb6f3bc94d68e9eddebf0caf81f80563794a564ce687c5f8444acf0e60/detection triger-working.com web-telegrama.org # Generic /appalcanedentrecentlyconvergenting.png /azure6steeps4sneaker2wow5herpes0him6fawn9octree5 /politic8stylist1stultification8sadomasochism2 /soarnegroidmeanalkydapresowntipslushing.png /validate7condom7rapids9simoom9 /veal3reveal0bask6goodby9gust6legitimate6wiliness1