# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: APT29, Cozy Bear, The Dukes, WellMess, WellMail, SoreFang, PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke # Reference: https://otx.alienvault.com/pulse/55fae83567db8c6fb3518bcd/ # Reference: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf nasdaqblog.net nytunion.com overpict.com greencastleadvantage.com sixsquare.net oilnewsblog.com grouptumbler.com airtravelabroad.com beijingnewsblog.net ustradecomp.com nestedmail.com leveldelta.com nostressjob.com natureinhome.com deervalleyassociation.com # Reference: https://www.f-secure.com/weblog/archives/00002822.html portal.sbn.co.th # Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf # Reference: https://otx.alienvault.com/pulse/5da83c7c104ff3553f418443 acciaio.com.br bandabonga.fr busseylawoffice.com ceycarb.com coachandcook.at ecolesndmessines.org fairfieldsch.org fisioterapiabb.it lorriratzlaff.com ministernetwork.org motherlodebulldogclub.com powerpolymerindustry.com publiccouncil.org rulourialuminiu.co.uk salesappliances.com sistemikan.com skagenyoga.com varuhusmc.org westmedicalgroup.net # Reference: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf # Reference: https://otx.alienvault.com/pulse/5f107c022dfb7a7c8fec7903 http://103.13.240.46 http://103.205.8.72 http://103.216.221.19 http://103.253.41.102 http://103.253.41.68 http://103.253.41.82 http://103.253.41.90 http://103.73.188.101 http://111.90.146.143 http://111.90.150.176 http://119.160.234.163 http://119.160.234.194 http://119.81.173.130 http://119.81.178.105 http://119.81.184.11 http://120.53.12.132 http://122.114.197.185 http://122.114.226.172 http://141.255.164.29 http://141.98.212.55 http://145.249.107.73 http://146.0.76.37 http://149.202.12.210 http://169.239.128.110 http://176.119.29.37 http://178.211.39.6 http://185.145.128.35 http://185.225.226.16 http://185.99.133.112 http://188.241.68.137 http://191.101.180.78 http://192.48.88.107 http://202.59.9.59 http://209.58.186.196 http://209.58.186.197 http://209.58.186.240 http://220.158.216.130 http://27.102.130.115 http://31.170.107.186 http://31.7.63.141 http://45.120.156.69 http://45.123.190.167 http://45.123.190.168 http://45.129.229.48 http://45.152.84.57 http://46.19.143.69 http://5.199.174.164 http://66.70.247.215 http://79.141.168.109 http://81.17.17.213 http://85.93.2.116 # Reference: https://twitter.com/IntezerLabs/status/1285487000091598863 # Reference: https://www.virustotal.com/gui/file/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2/detection 111.90.150.140:25 # Reference: https://twitter.com/ShadowChasing1/status/1288403929462530049 # Reference: https://www.virustotal.com/gui/file/95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc/detection http://178.211.39.6 141.98.212.55:121 # Reference: https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ monitor.syn.cn # Reference: https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html 103.216.221.18:50031 # Reference: https://twitter.com/joakimkennedy/status/1303626343830167552 # Reference: https://www.virustotal.com/gui/file/ebfe9cc39dfdc1d1abe7fd4b1e248b16238234c5261610456de0317c2045555d/detection 103.253.41.102:8081 # Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/ # Reference: https://www.virustotal.com/gui/file/7c20ef1547da114c15da8dd617d22dfd5c7fb08bb9eb07e30df35834619b915a/detection 45.91.93.89:443 d1d66buv7blf1z.cloudfront.net myrric-uses.singlejets.com sendbits.m2stor4ge.xyz # Reference: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ # Reference: https://otx.alienvault.com/pulse/60b689c652cd41240e77cfbe 74d6b7b2.app.giftbox4u.com content.pcmsar.net doggroomingnews.com hanproud.com # Reference: https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/ # Reference: https://otx.alienvault.com/pulse/61090c601d7bda90aed534df # Reference: https://www.virustotal.com/gui/file/775eff1087c9e134a370cc767aa8fee128ed0ede436a1860119bb1a5ea91111f/detection http://103.193.4.101 http://111.90.147.248 http://111.90.151.120 http://116.202.251.49 http://116.202.251.5 http://141.255.164.11 http://141.98.214.14 http://152.44.45.10 http://152.89.160.81 http://178.157.13.168 http://185.140.55.35 http://185.207.205.174 http://193.36.116.119 http://193.36.119.162 http://193.36.119.184 http://31.13.195.210 http://37.120.247.163 http://45.124.132.10 http://45.124.132.106 http://91.132.139.195 # Reference: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ (# TrailBlazer) satkas.waw.pl /rainloop/forecast # Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/ porodicno.ba/wp-content/Agenda.html wethe6and9.ca/wp-content/Agenda.html # Reference: https://tria.ge/220721-s7pqcageb5 141.98.212.55:53 209.58.186.196:443 # Reference: https://twitter.com/WhichbufferArda/status/1581688188938358785 # Reference: https://www.virustotal.com/gui/file/56ddc93f0555b4934eef3c5ccd3cf09291240465aaccf373c28e2a0d1eb292a5/detection # Reference: https://www.virustotal.com/gui/file/05d8b678bc3f14295fe6e8089e144b8adc622d5510e3a8fd7d0dda8f15c4bd13/detection # Reference: https://www.virustotal.com/gui/file/6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7/detection sinitude.com # Reference: https://twitter.com/felixaime/status/1632448523995103232 # Reference: https://github.com/pan-unit42/tweets/blob/master/2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt literaturaelsalvador.com/Instructions.html literaturaelsalvador.com/Schedule.html signitivelogics.com/BMW.html signitivelogics.com/Schedule.html # Reference: https://twitter.com/WhichbufferArda/status/1659254174620557314 # Reference: https://www.virustotal.com/gui/file/6e3b557b1a9c1ecd89eb3be978f8c1b775ee4822262aae9c1ee6c08399a37f73/detection poetpages.com/pp/l4.php