# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: CloudFall # Note: something is wrong with the connection between cloud atlas and red october (https://securelist.com/recent-cloud-atlas-activity/92016/) # Reference: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/ webdav.cloudme.com/bimm4276/CloudDrive/ # Reference: https://securelist.com/recent-cloud-atlas-activity/92016/ # Reference: https://otx.alienvault.com/pulse/5d5176f09f3f84634e1f0227 http://144.217.174.57 http://176.31.59.232 # Reference: https://twitter.com/Vishnyak0v/status/1197402642651193345 newoffice-template.com # Reference: https://twitter.com/jfslowik/status/1340352860274393088 # Reference: https://twitter.com/ShadowChasing1/status/1359127027438112773 # Reference: https://www.virustotal.com/gui/file/21ff553d752df93e10e45d0393eb097d5231346737e786ab8ad41324c299342a/detection ms-officeupdate.com # Reference: https://twitter.com/kyleehmke/status/1359531943252140040 # Reference: https://twitter.com/ShadowChasing1/status/1362359220046192640 # Reference: https://www.virustotal.com/gui/file/46c203cf15a4126f10b3933376215063fe385aba3be971d63fc4e7be34aaf171/detection ms-update.org # Reference: https://twitter.com/jfslowik/status/1363255047929294853 eurasia-research.org ms-template.com # Reference: https://twitter.com/h2jazi/status/1363918659534659587 # Reference: https://www.virustotal.com/gui/file/668236000a483b1735b7f8e244ae867804ee20fbd18e07860d1764a30e3ba60d/detection http://139.60.161.74/appalcanedentrecentlyconvergenting.png http://217.182.9.185/appalcanedentrecentlyconvergenting.png # Reference: https://twitter.com/ShadowChasing1/status/1364435382683668484 # Reference: https://www.virustotal.com/gui/file/439032cbee22ae75cce7e2340ca7ffe521dce3e18702ccd703cc5849dbf8954b/detection /referential5refugee0douglas4modulate5trio7 # Reference: https://twitter.com/ShadowChasing1/status/1364436330894135297 # Reference: https://www.virustotal.com/gui/file/4011b1fff8c088fcb4ac4a05a5a156912162293bbda8147597a41e09725b3ebf/detection /validate7condom7rapids9simoom9 # Reference: https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas http://139.60.161.74/appalcanedentrecentlyconvergenting.png http://185.70.184.32/soarnegroidmeanalkydapresowntipslushing.png # Reference: https://twitter.com/kyleehmke/status/1366796835541684224 ms-officeupdate.org # Reference: https://twitter.com/ShadowChasing1/status/1391788670349287425 # Reference: https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify # Reference: https://otx.alienvault.com/pulse/5fb8172cdb6535bd6935bfd6 # Reference: https://www.virustotal.com/gui/file/e5b76a3ec4c9b0a42ec953022b5d64f61e7cd64f78ea0cb7170b7882ffb180b6/detection 2020-windows.com azureblog.info brexitimpact.com doc-fid.com e-government-pk.com e-govoffice.com get-news-online.com gmocloudhosting.com interior-gov.com iphoneupdatecheck.com live-media.org liveinfo.org log1inbox.com ms-check-new-update.com msofficeupdate.com msofficeupdate.org msupdatecheck.com netserviceupdater.com new-office.org newoffice-template.com newoffice-update.com newupdate.org officeupgrade.org petronas-me.com rarnbler.com rneil.ru srv3-serveup-ads.net template-new.com template-office.org tls-login.com update-office.com upgrade-office.com upgrade-office.org user-twitter.com weather-server.net # Reference: https://twitter.com/h2jazi/status/1453748348964548617 # Reference: https://www.virustotal.com/gui/file/9e23a08981ae336068905c771754f7ea26b19d3d978b1bd554a4202a165b3072/detection checklicensekey.com # Reference: https://twitter.com/ShadowChasing1/status/1469145795723071492 # Reference: https://twitter.com/ShadowChasing1/status/1468924565653159942 # Reference: https://www.virustotal.com/gui/ip-address/185.117.91.175/relations # Reference: https://www.virustotal.com/gui/file/309ba0a33ecf3e123bc3e539a5443b5b633a135c3fc44fd0941d520fee39afb1/detection # Reference: https://www.virustotal.com/gui/file/60e9222f464cc99014a909ca4548cf38b20c7a5bbd80714dfd95ce89842be7db/detection msdocumentviever.com # Reference: https://www.zscaler.com/blogs/security-research/cloudfall-targets-researchers-and-scientists-invited-international-military # Reference: https://www.virustotal.com/gui/file/d911e17b3628471713adeac2c86ad429d4e873dacfa13a10ed9a316c49ed63b0/detection advancestore.workers.dev dc-microsoft.workers.dev digitalstorage.workers.dev fetrikekke531.workers.dev jerkufetra754.workers.dev microsoft-365.workers.dev microsoft-cloud.workers.dev office365online.workers.dev office365-cloud.workers.dev publicserver.workers.dev repository.workers.dev api.office365online.workers.dev asia.office365-cloud.workers.dev cloud.digitalstorage.workers.dev curly-waterfall-360d.fetrikekke531.workers.dev documents.publicserver.workers.dev eu.microsoft-365.workers.dev falling-haze-1812.jerkufetra754.workers.dev falling-haze-1813.jerkufetra754.workers.dev mirror.advancestore.workers.dev office365.dc-microsoft.workers.dev office365.microsoft-cloud.workers.dev plug.repository.workers.dev virustotall-360d.fetrikekke531.workers.dev # Generic /appalcanedentrecentlyconvergenting.png /azure6steeps4sneaker2wow5herpes0him6fawn9octree5 /politic8stylist1stultification8sadomasochism2 /soarnegroidmeanalkydapresowntipslushing.png /validate7condom7rapids9simoom9 /veal3reveal0bask6goodby9gust6legitimate6wiliness1