# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: blackenergy, quedagh, voodoo bear, temp.noble, iron viking # CERT-UA: UAC-0082 # Reference: https://web.archive.org/web/20120106212034/http://amada.abuse.ch/blocklist.php?download=domainblocklist abaronaweb.net ads.ew.com.cn all-invite.org aut0mat.info bka.im cazino-game.com cxim.asia ddumasz.info globdomain.ru hackzona.tk jakkaru.ru k0x.ru kandagarka.net myprodjs.ru olololo.in onlinejobsnet.co.cc prava-servise.ru sharp.mcdir.ru webprofiler.cc write-dream.ru # Reference: https://www.virustotal.com/gui/ip-address/185.80.53.22/relations account-googlmail.ml account-loginserv.com # Reference: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf # Reference: https://www.virustotal.com/gui/file/dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730/detection 95.216.13.196:53 95.216.13.196:8080 hostapp.be # Reference: https://twitter.com/kyleehmke/status/1267222198588145664 userarea.click userarea.eu # Reference: https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure/ fbapp.info fbapp.link fbapp.top myaccount.click myaccount.one userarea.click userarea.eu userarea.in userarea.top userzone.eu userzone.one webcache.one # Reference: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html # Reference: https://otx.alienvault.com/pulse/623319918d3021c70ec8f396 1.9.85.247:3269 1.9.85.247:636 1.9.85.247:8443 1.9.85.247:989 1.9.85.247:990 1.9.85.247:994 1.9.85.247:995 1.9.85.248:3269 1.9.85.248:636 1.9.85.248:8443 1.9.85.248:989 1.9.85.248:990 1.9.85.248:994 1.9.85.248:995 1.9.85.249:3269 1.9.85.249:636 1.9.85.249:8443 1.9.85.249:989 1.9.85.249:990 1.9.85.249:994 1.9.85.249:995 1.9.85.252:3269 1.9.85.252:636 1.9.85.252:8443 1.9.85.252:989 1.9.85.252:990 1.9.85.252:994 1.9.85.252:995 1.9.85.253:3269 1.9.85.253:636 1.9.85.253:8443 1.9.85.253:989 1.9.85.253:990 1.9.85.253:994 1.9.85.253:995 1.9.85.254:3269 1.9.85.254:636 1.9.85.254:8443 1.9.85.254:989 1.9.85.254:990 1.9.85.254:994 1.9.85.254:995 102.50.244.205:3269 102.50.244.205:636 102.50.244.205:8443 102.50.244.205:989 102.50.244.205:990 102.50.244.205:994 102.50.244.205:995 148.76.89.2:3269 148.76.89.2:636 148.76.89.2:8443 148.76.89.2:989 148.76.89.2:990 148.76.89.2:994 148.76.89.2:995 148.76.89.3:3269 148.76.89.3:636 148.76.89.3:8443 148.76.89.3:989 148.76.89.3:990 148.76.89.3:994 148.76.89.3:995 148.76.89.4:3269 148.76.89.4:636 148.76.89.4:8443 148.76.89.4:989 148.76.89.4:990 148.76.89.4:994 148.76.89.4:995 148.76.89.5:3269 148.76.89.5:636 148.76.89.5:8443 148.76.89.5:989 148.76.89.5:990 148.76.89.5:994 148.76.89.5:995 148.76.89.6:3269 148.76.89.6:636 148.76.89.6:8443 148.76.89.6:989 148.76.89.6:990 148.76.89.6:994 148.76.89.6:995 151.0.185.146:3269 151.0.185.146:636 151.0.185.146:8443 151.0.185.146:989 151.0.185.146:990 151.0.185.146:994 151.0.185.146:995 151.0.185.147:3269 151.0.185.147:636 151.0.185.147:8443 151.0.185.147:989 151.0.185.147:990 151.0.185.147:994 151.0.185.147:995 151.0.185.148:3269 151.0.185.148:636 151.0.185.148:8443 151.0.185.148:989 151.0.185.148:990 151.0.185.148:994 151.0.185.148:995 151.0.185.149:3269 151.0.185.149:636 151.0.185.149:8443 151.0.185.149:989 151.0.185.149:990 151.0.185.149:994 151.0.185.149:995 151.0.185.150:3269 151.0.185.150:636 151.0.185.150:8443 151.0.185.150:989 151.0.185.150:990 151.0.185.150:994 151.0.185.150:995 182.73.50.114:3269 182.73.50.114:636 182.73.50.114:8443 182.73.50.114:989 182.73.50.114:990 182.73.50.114:994 182.73.50.114:995 182.73.50.115:3269 182.73.50.115:636 182.73.50.115:8443 182.73.50.115:989 182.73.50.115:990 182.73.50.115:994 182.73.50.115:995 217.57.80.18:3269 217.57.80.18:636 217.57.80.18:8443 217.57.80.18:989 217.57.80.18:990 217.57.80.18:994 217.57.80.18:995 37.71.147.186:3269 37.71.147.186:636 37.71.147.186:8443 37.71.147.186:989 37.71.147.186:990 37.71.147.186:994 37.71.147.186:995 50.192.49.210:3269 50.192.49.210:636 50.192.49.210:8443 50.192.49.210:989 50.192.49.210:990 50.192.49.210:994 50.192.49.210:995 96.80.68.193:3269 96.80.68.193:636 96.80.68.193:8443 96.80.68.193:989 96.80.68.193:990 96.80.68.193:994 96.80.68.193:995 96.80.68.194:3269 96.80.68.194:636 96.80.68.194:8443 96.80.68.194:989 96.80.68.194:990 96.80.68.194:994 96.80.68.194:995 96.80.68.195:3269 96.80.68.195:636 96.80.68.195:8443 96.80.68.195:989 96.80.68.195:990 96.80.68.195:994 96.80.68.195:995 96.80.68.196:3269 96.80.68.196:636 96.80.68.196:8443 96.80.68.196:989 96.80.68.196:990 96.80.68.196:994 96.80.68.196:995 96.80.68.197:3269 96.80.68.197:636 96.80.68.197:8443 96.80.68.197:989 96.80.68.197:990 96.80.68.197:994 96.80.68.197:995 # Reference: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf 100.43.220.234:3269 100.43.220.234:636 100.43.220.234:8443 100.43.220.234:989 100.43.220.234:990 100.43.220.234:994 100.43.220.234:995 100.43.220.234:996 105.159.248.137:3269 105.159.248.137:636 105.159.248.137:8443 105.159.248.137:989 105.159.248.137:990 105.159.248.137:994 105.159.248.137:995 105.159.248.137:996 109.192.30.125:3269 109.192.30.125:636 109.192.30.125:8443 109.192.30.125:989 109.192.30.125:990 109.192.30.125:994 109.192.30.125:995 109.192.30.125:996 151.0.169.250:3269 151.0.169.250:636 151.0.169.250:8443 151.0.169.250:989 151.0.169.250:990 151.0.169.250:994 151.0.169.250:995 151.0.169.250:996 185.82.169.99:3269 185.82.169.99:636 185.82.169.99:8443 185.82.169.99:989 185.82.169.99:990 185.82.169.99:994 185.82.169.99:995 185.82.169.99:996 188.152.254.170:3269 188.152.254.170:636 188.152.254.170:8443 188.152.254.170:989 188.152.254.170:990 188.152.254.170:994 188.152.254.170:995 188.152.254.170:996 2.230.110.137:3269 2.230.110.137:636 2.230.110.137:8443 2.230.110.137:989 2.230.110.137:990 2.230.110.137:994 2.230.110.137:995 2.230.110.137:996 208.81.37.50:3269 208.81.37.50:636 208.81.37.50:8443 208.81.37.50:989 208.81.37.50:990 208.81.37.50:994 208.81.37.50:995 208.81.37.50:996 212.103.208.182:3269 212.103.208.182:636 212.103.208.182:8443 212.103.208.182:989 212.103.208.182:990 212.103.208.182:994 212.103.208.182:995 212.103.208.182:996 212.202.147.10:3269 212.202.147.10:636 212.202.147.10:8443 212.202.147.10:989 212.202.147.10:990 212.202.147.10:994 212.202.147.10:995 212.202.147.10:996 212.234.179.113:3269 212.234.179.113:636 212.234.179.113:8443 212.234.179.113:989 212.234.179.113:990 212.234.179.113:994 212.234.179.113:995 212.234.179.113:996 24.199.247.222:3269 24.199.247.222:636 24.199.247.222:8443 24.199.247.222:989 24.199.247.222:990 24.199.247.222:994 24.199.247.222:995 24.199.247.222:996 37.99.163.162:3269 37.99.163.162:636 37.99.163.162:8443 37.99.163.162:989 37.99.163.162:990 37.99.163.162:994 37.99.163.162:995 37.99.163.162:996 50.255.126.65:3269 50.255.126.65:636 50.255.126.65:8443 50.255.126.65:989 50.255.126.65:990 50.255.126.65:994 50.255.126.65:995 50.255.126.65:996 70.62.153.174:3269 70.62.153.174:636 70.62.153.174:8443 70.62.153.174:989 70.62.153.174:990 70.62.153.174:994 70.62.153.174:995 70.62.153.174:996 78.134.89.167:3269 78.134.89.167:636 78.134.89.167:8443 78.134.89.167:989 78.134.89.167:990 78.134.89.167:994 78.134.89.167:995 78.134.89.167:996 80.15.113.188:3269 80.15.113.188:636 80.15.113.188:8443 80.15.113.188:989 80.15.113.188:990 80.15.113.188:994 80.15.113.188:995 80.15.113.188:996 80.153.75.103:3269 80.153.75.103:636 80.153.75.103:8443 80.153.75.103:989 80.153.75.103:990 80.153.75.103:994 80.153.75.103:995 80.153.75.103:996 80.155.38.210:3269 80.155.38.210:636 80.155.38.210:8443 80.155.38.210:989 80.155.38.210:990 80.155.38.210:994 80.155.38.210:995 80.155.38.210:996 81.4.177.118:3269 81.4.177.118:636 81.4.177.118:8443 81.4.177.118:989 81.4.177.118:990 81.4.177.118:994 81.4.177.118:995 81.4.177.118:996 90.63.245.175:3269 90.63.245.175:636 90.63.245.175:8443 90.63.245.175:989 90.63.245.175:990 90.63.245.175:994 90.63.245.175:995 90.63.245.175:996 93.51.177.66:3269 93.51.177.66:636 93.51.177.66:8443 93.51.177.66:989 93.51.177.66:990 93.51.177.66:994 93.51.177.66:995 93.51.177.66:996 # Reference: https://cert.gov.ua/article/39518 (Ukranian) # Reference: https://otx.alienvault.com/pulse/62552abdd7e44d9aba08636d http://195.230.23.19 http://91.245.255.243 195.230.23.19:443 91.245.255.243:443 # Reference: https://cert.gov.ua/article/160530 (Ukrainian) # CERT-UA: CrescentImp, UAC-0113 185.80.92.143:8998 87.236.161.43:443 # Reference: https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/ # Reference: https://www.virustotal.com/gui/ip-address/193.239.152.131/relations # Reference: https://www.virustotal.com/gui/file/43b69a81693488905ef655d22e395c3f8dee2486aba976d571d3b12433d10c93/detection # Reference: https://www.virustotal.com/gui/file/0bb5e98f77e69d85bf5068bcbc5b5876f8e5855d34d9201d1caffbf83460cccc/detection http://193.239.152.131 # Reference: https://cys-centrum.com/ru/news/black_energy_2_3 (Russian) http://146.0.74.7 http://148.251.82.21 http://188.40.8.72 http://31.210.111.154 http://41.77.136.250 http://5.149.254.114 http://5.9.32.230 http://88.198.25.92 http://95.211.122.36 146.0.74.7:443 148.251.82.21:443 188.40.8.72:443 31.210.111.154:443 41.77.136.250:443 5.149.254.114:443 5.9.32.230:443 88.198.25.92:443 /Microsoft/Update/KS4567890.php /Microsoft/Update/KS081274.php /Microsoft/Update/KS081274.php /Microsoft/Update/KC074913.php /Microsoft/Update/KS1945777.php /fHKfvEhleQ/maincraft/derstatus.php /fHKfvEhleQ/maincraft/ /fHKfvEhleQ/ /l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php /l7vogLG/BVZ99/rt170v/solocVI/ /l7vogLG/BVZ99/rt170v/ /l7vogLG/BVZ99/ /eegL7p.php # Reference: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/ http://46.165.222.28 http://94.185.85.122 46.165.222.28:443 # Reference: https://twitter.com/RecordedFuture/status/1571946803427414016 # Reference: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine kievstar.online ett.ddns.net ett.hopto.org darkett.ddns.net kyiv-star.ddns.net star-cz.ddns.net star-link.ddns.net # Reference: https://twitter.com/Des00464472/status/1590213508423352320 124.115.171.103:443 # Reference: https://twitter.com/RakeshKrish12/status/1687344650963804160 (# Cyclops Ransomware group had discontinued their ops & rebranded themselves as "Knight" Group (Knight ransomware)!) knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion nt3rrzq5hcyznvdkpslvqbbc2jqecqrinhi5jtwoae2x7psqtcb6dcad.onion # Reference: https://twitter.com/felixw3000/status/1689541933062868992 # Reference: https://www.virustotal.com/gui/file/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/detection dvjbn4sg4p1ck.cloudfront.net # Reference: https://twitter.com/fr0s7_/status/1696485604630970879 # Reference: https://www.virustotal.com/gui/file/25497816b84a44be526c4cf048b53fe64118dbda5fdde45bdffe5ce3e2fe259f/detection knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion