# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: APT29, Cozy Bear, The Dukes, WellMess, WellMail, SoreFang, PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke # Reference: https://otx.alienvault.com/pulse/55fae83567db8c6fb3518bcd/ # Reference: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf nasdaqblog.net nytunion.com overpict.com greencastleadvantage.com sixsquare.net oilnewsblog.com grouptumbler.com airtravelabroad.com beijingnewsblog.net ustradecomp.com nestedmail.com leveldelta.com nostressjob.com natureinhome.com deervalleyassociation.com # Reference: https://www.f-secure.com/weblog/archives/00002822.html portal.sbn.co.th # Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf # Reference: https://otx.alienvault.com/pulse/5da83c7c104ff3553f418443 acciaio.com.br bandabonga.fr busseylawoffice.com ceycarb.com coachandcook.at ecolesndmessines.org fairfieldsch.org fisioterapiabb.it lorriratzlaff.com ministernetwork.org motherlodebulldogclub.com powerpolymerindustry.com publiccouncil.org rulourialuminiu.co.uk salesappliances.com sistemikan.com skagenyoga.com varuhusmc.org westmedicalgroup.net # Reference: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf # Reference: https://otx.alienvault.com/pulse/5f107c022dfb7a7c8fec7903 http://103.13.240.46 http://103.205.8.72 http://103.216.221.19 http://103.253.41.102 http://103.253.41.68 http://103.253.41.82 http://103.253.41.90 http://103.73.188.101 http://111.90.146.143 http://111.90.150.176 http://119.160.234.163 http://119.160.234.194 http://119.81.173.130 http://119.81.178.105 http://119.81.184.11 http://120.53.12.132 http://122.114.197.185 http://122.114.226.172 http://141.255.164.29 http://141.98.212.55 http://145.249.107.73 http://146.0.76.37 http://149.202.12.210 http://169.239.128.110 http://176.119.29.37 http://178.211.39.6 http://185.145.128.35 http://185.225.226.16 http://185.99.133.112 http://188.241.68.137 http://191.101.180.78 http://192.48.88.107 http://202.59.9.59 http://209.58.186.196 http://209.58.186.197 http://209.58.186.240 http://220.158.216.130 http://27.102.130.115 http://31.170.107.186 http://31.7.63.141 http://45.120.156.69 http://45.123.190.167 http://45.123.190.168 http://45.129.229.48 http://45.152.84.57 http://46.19.143.69 http://5.199.174.164 http://66.70.247.215 http://79.141.168.109 http://81.17.17.213 http://85.93.2.116 # Reference: https://twitter.com/IntezerLabs/status/1285487000091598863 # Reference: https://www.virustotal.com/gui/file/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2/detection 111.90.150.140:25 # Reference: https://twitter.com/ShadowChasing1/status/1288403929462530049 # Reference: https://www.virustotal.com/gui/file/95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc/detection http://178.211.39.6 141.98.212.55:121 # Reference: https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ monitor.syn.cn # Reference: https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html 103.216.221.18:50031 # Reference: https://twitter.com/joakimkennedy/status/1303626343830167552 # Reference: https://www.virustotal.com/gui/file/ebfe9cc39dfdc1d1abe7fd4b1e248b16238234c5261610456de0317c2045555d/detection 103.253.41.102:8081 # Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/ # Reference: https://www.virustotal.com/gui/file/7c20ef1547da114c15da8dd617d22dfd5c7fb08bb9eb07e30df35834619b915a/detection 45.91.93.89:443 d1d66buv7blf1z.cloudfront.net myrric-uses.singlejets.com sendbits.m2stor4ge.xyz # Reference: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ # Reference: https://otx.alienvault.com/pulse/60b689c652cd41240e77cfbe 74d6b7b2.app.giftbox4u.com content.pcmsar.net doggroomingnews.com hanproud.com # Reference: https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/ # Reference: https://otx.alienvault.com/pulse/61090c601d7bda90aed534df # Reference: https://www.virustotal.com/gui/file/775eff1087c9e134a370cc767aa8fee128ed0ede436a1860119bb1a5ea91111f/detection http://103.193.4.101 http://111.90.147.248 http://111.90.151.120 http://116.202.251.49 http://116.202.251.5 http://141.255.164.11 http://141.98.214.14 http://152.44.45.10 http://152.89.160.81 http://178.157.13.168 http://185.140.55.35 http://185.207.205.174 http://193.36.116.119 http://193.36.119.162 http://193.36.119.184 http://31.13.195.210 http://37.120.247.163 http://45.124.132.10 http://45.124.132.106 http://91.132.139.195 # Reference: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ (# TrailBlazer) satkas.waw.pl /rainloop/forecast # Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/ porodicno.ba/wp-content/Agenda.html wethe6and9.ca/wp-content/Agenda.html # Reference: https://tria.ge/220721-s7pqcageb5 141.98.212.55:53 209.58.186.196:443 # Reference: https://twitter.com/WhichbufferArda/status/1581688188938358785 # Reference: https://www.virustotal.com/gui/file/56ddc93f0555b4934eef3c5ccd3cf09291240465aaccf373c28e2a0d1eb292a5/detection # Reference: https://www.virustotal.com/gui/file/05d8b678bc3f14295fe6e8089e144b8adc622d5510e3a8fd7d0dda8f15c4bd13/detection # Reference: https://www.virustotal.com/gui/file/6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7/detection sinitude.com # Reference: https://twitter.com/felixaime/status/1632448523995103232 # Reference: https://github.com/pan-unit42/tweets/blob/master/2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt literaturaelsalvador.com/Instructions.html literaturaelsalvador.com/Schedule.html signitivelogics.com/BMW.html signitivelogics.com/Schedule.html # Reference: https://twitter.com/WhichbufferArda/status/1659254174620557314 # Reference: https://www.virustotal.com/gui/file/6e3b557b1a9c1ecd89eb3be978f8c1b775ee4822262aae9c1ee6c08399a37f73/detection poetpages.com/pp/l4.php # Reference: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/ gtjas.site info.gtjas.site 1597ebba.info.gtjas.site 3bcc1bba.info.gtjas.site 7c291bbe.info.gtjas.site # Reference: https://twitter.com/doc_guard/status/1683971701023932416 # Reference: https://twitter.com/StopMalvertisin/status/1684084388546633728 # Reference: https://www.virustotal.com/gui/file/302c0d553c9e7f2561864d79022b780a53ec0a5927e8962d883b88dde249d044/detection sgrhf.org.pk # Reference: https://twitter.com/RexorVc0/status/1684820825998774272 # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf # Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ # Reference: https://otx.alienvault.com/pulse/64aed22c405b3e8f605125e8 easym6.com/Information.php fondoftravel.com/contact.php mightystake.com/sponsorship.php reidao.com/dashboard.php resetlocations.com/bmw.htm sharpledge.com/login.php simplesalsamix.com/e-yazi.html sylvio.com.br/form.php te-as.no/wine.php willyminiatures.com/e-yazi.html # Reference: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing # Reference: https://otx.alienvault.com/pulse/6511f107da5fed8d065d9477 inovaoftalmologia.com.br kegas.id kitaeri.com gavice.ng/event_program.php parquesanrafael.cl/note.html sgrfh.org.pk/wp-content/idx.php # Reference: https://twitter.com/h2jazi/status/1714986809229251067 # Reference: https://www.virustotal.com/gui/file/f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977/detection d287-206-123-149-139.ngrok-free.app # Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a # Reference: https://otx.alienvault.com/pulse/657a2c924ea0e3e9e95e9433 matclick.com # Reference: https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 103.76.128.34:8080 bringthenoiseappnew.s3.amazonaws.com fisheries-states-codes-camps.trycloudflare.com /ujwphtigdcokr # Reference: https://twitter.com/SinghSoodeep/status/1763808104221737156 (# SPIKEDWINE) # Reference: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader # Reference: https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties # Reference: https://www.virustotal.com/gui/file/a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c/detection siestakeying.com/auth.php waterforvoiceless.org/invite.php waterforvoiceless.org/util.php