# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt28, sednit, sofacy, fancy bear, pawn storm, SNAKEMACKEREL, STRONTIUM, zebrocy, group 74, tsar team, threat troup-4127, TG-4127, ta422 # MITRE: https://attack.mitre.org/groups/G0007/ # CERT-UA: UAC-0028 # Reference: https://www.alienvault.com/open-threat-exchange/blog/from-russia-with-love-sofacy-sednit-apt28-is-in-town # Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/22170 # Reference: http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf adawareblock.com adobeincorp.com azureon-line.com checkmalware.info checkwinframe.com check-fix.com hotfix-update.com microsofi.org microsof-update.com scanmalware.info secnetcontrol.com securitypractic.com testservice24.net testsnetcontrol.com updatepc.org updatesoftware24.com windows-updater.com checkmalware.org adawareblock.com adobeincorp.com azureon-line.com checkmalware.info checkwinframe.com check-fix.com hotfix-update.com microsofi.org microsof-update.com scanmalware.info secnetcontrol.com securitypractic.com symanttec.org testservice24.net testsnetcontrol.com updatepc.org updatesoftware24.com windows-updater.com checkmalware.org symanttec.org # Reference: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ drivres-update.info intelnetservice.com intelsupport.net softupdates.info # Reference: https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf b-of-americ.com osce-military.org bbcnewsweek.com qov.hu.com settings-yahoo.com yovtube.co googlesetting.com cbiuaebn.com cbiuaebank.com techcruncln.com un-unicef.org royalbsuk.com kwqx.us middle-eastreview.org unitednat.org fbonlinelottery.com fubnt.com globeshippers.biz globeshippers.net gsandsc.com gshippers.com hesselawchambers.com largefarm.net regionsbnk.info seatreasures.org ssandsc.com t-d-canadatrust.com techielawfirms.com togounoffice.com ubagroupsgh.com un-unicef.org unicomba.com universalcoba.com # Reference: https://www.fireeye.com/resources/pdfs/apt28.pdf standartnevvs.com novinitie.com n0vinite.com qov.hu.com q0v.pl mail.q0v.pl poczta.mon.q0v.pl # Reference: http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-110315-1233-99 scanmalware.info malwarecheck.info adawareblock.com checkmalware.org # Reference: https://www.tr1adx.net/intel/public/TIB-00001_IOC_Domain.txt 365msoffice.com acccountverify.com accgmail.com account-close-status.com accountsteam-en.com accounts-updated.com accountverify.com accountverify.info adobe-flash-updates.org adobemainsecurity.com akadns.info akamaichecker.com apple-assistance-localisation.com apple-care-support.com apple-cloud-connect.com applecloudupdate.com apple-iclouds.net appleid-security-icloud.com apple-id-service.com apple-iphonesecurity-icloud.com apple-iphone-services.com apple-location-id.com apple-security-support.info apple-support-securityiphone.com apps4updates.com arghpxdge01-airgas.com cavuslawfirm.com checkfindmyiphone.com cloud-apple-support.com cloud-id-localisation.com csert.net dateosx.com defenceglobaladviser.com delivery-mail-service.com diplomatscouncil.org emailprovider.org emails-aol.com exchangetrusts.com facebookonlinenotice.com facebookservices.org fbarticles.com generalscaningcorp.org generalsecuritycorp.org generalsecurityscan.com getwindowsupdates.com globaldefencetalk.com gmailservicegroup.com gmailservices.org gnpad-gh-gov.org google-vservice.com iadb-online.com icloud-id-en.com icloud-id-localisation.com icloud-id-security.com icloud-id-services.com icloud-iphonesecurity.com icloud-iphone-services.com icloud-localisation-id.com icloud-security-support.com icloud-service-apple.com icloud-support-id.com identification-apple.com identification-apple-id.com identification-icloud-id.com id-icloud-localisation.com id-icloud-support.com imf-eu.org istoreapple.com itune-app.com itunes-helper.net limited-resolution.com limited-verification.com localisation-apple.com localisation-apple-id.com localisation-apple-security.com localisation-id-apple.com localisation-id-icloud.com localisation-security.com localisation-support.com login-resolve-limitations.com login-security-center.com login-security-notification.com login-security-verifications.com mailerfeed.net mail-periodistas.net microsoftdccenter.com microsoftfont.com microsoftofficeupdate.net mobilehostsvc.com msfontsrv.com msmodule.net msofficeinstall.com nato-nevvs.org netcorpscanprotect.com nvidiagforceup.com officefont.com offlineupdates.com politicsadvertisment.com pressservices.net privacy-ukr.net protectingcorpind.com proxysys-config.com reinstate-account.com reportscanprotecting.org reservecorpind.com rsshotmail.com samsvung.com secureconnectcompany.com secure-remove-limitation.com secure-verification-center.com security-apple-id.com security-icloud-apple.com security-icloud-localisation.com security-resolution-center.com security-verification.net security-verifications.com shcserv.com signin-icloudsupport.com support-icloud-apple.com support-icloud-localisation.com support-localisation-icloud.com support-security-icloud.com support-svc.com transfersevices.net transworldpetroleum.com twiterservices.org update-adobe.com updatepple.com update-security-information.com updatesrvx.net us-facebook.com windowsofficeupdate.com winsystemsvc.net wpadsettings.net wsusconnect.com xn--amazo-d8a.com yuotubc.com # sinkholed by 34564414564.com 645547657668787.com access-google.com account-microsoftonline.com account-office365.com accounts-googlc.com accounts.rsshotmail.com acledit.com actblues.com adfs-senate.email adfs.senate.qov.info adfs-senate.services adobeincorp.com adobeproduct.com adobestatistic.com adobestatistic.org adobeupdater.org adobeupdatetechnology.com advpdxapi.com akamaicachecdn.com akamaisoftupdate.com akamaitechnologysupport.com akamaitechupdate.com americanprogress-office365.com americanprogress-outlook.com apionedrive.com apple-checker.org applecloudupdate.com apple-iclods.org apple-iclouds.net apple-search.info apple-uptoday.org app-submitcentre.com autoupdater.org bbcnewsweek.com blacktivist.info bonjourcheck.com brookings.sharepoint.liveoffice365.me changepassword-hotmail.com checkmalware.info checkmalware.org checkwinframe.com cleanphonetrksftware.com cloudflarecdn.com cloudmicrosoft365.com cloudupgrade.org dailyforeignnews.com diplomatnews.org dncvotebuilder.com dotnetupdatechecker.com drivers-update.info driversupdate.info dvsservice.com dvsservice.net easycache.net egypressoffice.com eservicesystems.net evbrax.org extad.info extstat.info fastcontech.com faststoragefiles.org finemagicball.org generalsecuritycorp.org globaltechresearch.org gtranm.com helpmicrosoft.net help-msoutlook.com hotfixmsupload.com hotmail-monitor.com hubsg.net hudsonorg-my-sharepoint.com info2t.com inteldrv64.com intelintelligence.org intelmeserver.com intelsupportcenter.com intelsupportcenter.net ipv6-microsoft.com kenlynton.com lgemon.org linuxkrnl.net livemicrosoft.net liveoffice365.me login.cloudmicrosoft365.com login-on-live.com log-in-osce.org login-outlook.com login-security-center.com loqin-microsoftonline.com lowprt.org lucyonmail.org malwarecheck.info micoft.com microsofi.org microsoftcheckupdate.com microsoftcorpstatistic.com microsoftdccenter.com microsoftdriver.com microsoftdskservice.com microsofthelpcenter.info microsoftonlihe.com microsoftsecurepolicy.org microsoftsupp.com microsoft-update-cdn.com microsoft-updatecdn.com microsof-update.com miropc.org mlidef.com mscoresvw.com ms-drivadptrwin.com msmodule.com msmodule.net msnsupportcare.com msofficeinstall.com msoftonline.com msrdr.com msrwr.com ms-update.info ms-update.net ms-updates.com mvsband.com my-iri.org mymail-ukr.net naoasch.com natoexhibitionff14.com natoint.com ndsee.org netcorpscanprotect.com networkschecker.net newfilmts.com newsdailyworld.com news.intelsupportcenter.com nortonupdate.org noticermk.com notificationstatus.com office365-account.com office365-microsoft.com office365-onedrive.com officemicroupdate.com officeupdater.com onedrive365.com onedrivemicrosoft365.com onedrivemicrosoft.com onedrive-office365.com onedriveoffice365.com one-drive.org onedrive-outlook.com outlook-security.org petropershiyinukra.com philcfo.org pldtprv.net privacy-hotmail.com profile-hotmail.com publishdollar.com qov.info remsupport.org reportscanprotecting.org researchcontinental.org reservecorpind.com rsshotmail.com runssnetworks.com runvercheck.com scanmalware.info sdhjjekfp4k.com search-microsoft.com secao.org secnetcontrol.com secure.actblues.com securemicrosoftstatistic.com securitysls.com securityupdatereport.com senate.group senate.qov.info seniorsecurityind.com servicecorptech.com service-hushmail.com servicesecupdate.com service-usa-tre.info smtprelayhost.com softwaresupportsv.com soligro.com spelns.com sportszone71.com supports-microsoft.com symantecsupport.org testservice24.net transparency-office365.com uber-mails.com umizg.org updatepc.org updatesoftware24.com updatesvcsys.com updates-windows.com updatesystem.info updatesystems.net uploader.sytes.net vascothreatscan.org webmail-saic.com webmail-saic.net whatsapp-in.com win32support.com windowofficeupdate.com windowsappstore.net windowscheckupdater.net windowsofficeupdate.com windowsupdater.net windowsxupdate.com winsyscheck.com winsyschecks.com winsystemsvc.net winupdatesysmic.com wmdmediacodecs.com worldmilitarynews.org worldpoliticsnews.org wsusconnect.com www.actblues.com www.adobeupdater.org www.dailyforeignnews.com www.diplomatnews.org www.info2t.com www.microsoftdriver.com www.microsofthelpcenter.info www.mscoresvw.com www.natoint.com www.office365-onedrive.com www.onedrive365.com www.servicesecupdate.com www.sportszone71.com www.symantecsupport.org www.windowscheckupdater.net www.winupdatesysmic.com www.worldmilitarynews.org # Reference: http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/ adobeupgradeflash.com akamaisoftupdate.com appservicegroup.com apptaskserver.com globalresearching.org globaltechresearch.org joshel.com postlkwarn.com researchcontinental.org securityprotectingcorp.com uniquecorpind.com versiontask.com # Reference: http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/ munimonoce.com wscapi.com tabsync.net storsvc.org servicecdp.com # Reference: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor azureon-line.com mozilla-plugins.com mozillaplagins.com # Reference: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/ msonlinelive.com windows-updater.com azureon-line.com # Reference: http://pwc.blogs.com/files/cto-tib-20150420-01a.pdf defencereview.net brnlv-gv.eu militaryobserver.net netassistcache.com asus-service.net aolnets.com natopress.org natopress.com defencereview.eu intelsupport.net globalnewsweekly.com osce-oscc.org enisa-europa.com enisa-europa.org techcruncln.com nato-hq.com iacr-tcc.org nato-int.com nato-info.com bmlv-gv.eu foreignreview.com mediarea.org osce-military.org europeanda.com softupdates.info settings-yahoo.com settings-live.com delivery-yahoo.com privacy-yahoo.com privacy-live.com westinqhousenuclear.com webmail.westinqhousenuclear.com # Reference: https://www.jigsawsecurityenterprise.com/single-post/2017/11/01/Malicious-Documents-Targeting-Security-Professionals # Reference: https://app.any.run/tasks/8ac81174-d6d0-43d3-b2d2-c26e167a296b/ 200200.duckdns.org 357.duckdns.org ahr0cdovlzkyljiymi4ymdkundkvywn0a.0.d.255.adobeproduct.com bonjourcheck.com carlos88.ddns.net d6231738c34.john-pc.c.mswordupdate17.com d6238051c34.placehol-6f699a.c.mswordupdate17.com d6238111c34.placehol-6f699a.c.mswordupdate17.com d6238158c34.placehol-6f699a.c.mswordupdate17.com d6238210c34.placehol-6f699a.c.mswordupdate17.com d6261013c34.placehol-6f699a.c.mswordupdate17.com d6261024c34.placehol-6f699a.c.mswordupdate17.com d6261034c34.placehol-6f699a.c.mswordupdate17.com elaxo.org fastfileconverter.org faststoragefiles.org flashcontentdelivery.net fsportal.net googlea.net63.net hhcghibvywzedwa2iyvsuzzhx8.2.d.255.adobeproduct.com ikmtrust.com ip113.ip-91-134-203.eu jeremizo888.ddns.net jflynci.com maskulan.duckdns.org maskulan.dynu.com microsoftupdated.com msoffice-cdn.comns3.cdnmsnupdate.com myinvestgroup.com n.3.f.255.adobeproduct.com n.n.c.255.adobeproduct.com n.n.c.26055.adobeproduct.com n.n.c.303ff7b225c14f1498a2.cdnmsnupdate.com networkschecker.net ns1.cdnmsnupdate.com ns2.cdnmsnupdate.com ns2.ntpupdateserver.com ns3.cdnmsnupdate.com peacefund.eu protectingsearch.com runssnetworks.com vascothreatscan.org w9umi9wrvzsvlvstvfvslbumdfdvda5tl.1.d.255.adobeproduct.com windows.mswordupdate17.com windows81.duckdns.org adobeproduct.com cdnmsnupdate.com sdhjjekfp4k.com # Reference: https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/ access-apple-login-account.gq account-activity-verification-login.ga account-verify-comfirmation-info-login.ga account-verify-comfirmation-info-login.gq accountlogin-inc.ga accountverify-disableinfo-login.gq alert-new-login-com.ga apple-realertlogin.gq appleid-login-appleid.ga appleid-manageaccountloginupdated.ga appleidcustomer-servicess-com-loginaccount.ga appleidcustomer-servicess-com-loginaccount.gq browsersecurity.ga change-password.gq cleantarea-customerlogin-com.ga clientareasecurity1.gq clientareasecurity4.gq com-recoverylogin.gq com-supportlogin-adminverification.ga darksecurity.ga dns-sec-login-apple-invoice-confirmations.ga dns-webapps-login-account-secure-servers.ga documentation.gq documentshandler.ga emailloginerror.gq facebook-login-page.gq failure-login.ga fileshelp.ga fileshelp.gq fileshelpprotut.ga fileshelpprotut.gq filestore.gq goldsecurity.ga info-apple-login-security.gq jp-login.gq locked-service-security.ga login-bancochile-cl.ga login-pap-web-access.ga login-recovery.gq login-sec-apple-secure-account-updated.ga login-secure1-mobile.ga login-unlock-account.ga login-update-unlock.gq loginapps-info.ga loginpaypaas-securityuserid.ga loginservice-maintanceserversecurity.gq manage-login.gq manage-logins.gq mod-files.ga mydocuments.gq newaction-loginactivituresource.ga newfiles.ga ns-secures-login-accountjp-updates-community.gq nursingdocumentation.gq ourfiles.ga pdf-document.ga protector-files.ga recoverylogin-access.ga reset-password-com.ga restore-login-account.gq review-quilogin.ga secure-bankofamerica--login-com.ga secure-bankofamerica--login-com.gq secure-login-helpid-locked.gq secure-management-login-account-index-webpass.gq secure-mobile-login1.gq secure1-client-login.ga secure1-client-login.gq secure1-login-apps.gq secure5647login-com.ga security-login-information.gq securitycenter.ga securitymail.gq service-account-home-login.gq service-autoreset-password-youraccount.ga service-login-apple-verify-account-locked.gq servicelogin-access-failed.gq services-loginaccount.ga sharefiles.gq signin-login-php.ga smtprelayhost.com srilankadocuments.ga statement-login-update-info.ga summary-loginconfirmation.ga unsecured-login-attempt.ga verify-login-account-iinformation.ga verify-login-account-iinformation.gq welcome-apple-protectyourpassword.gq www-logined-apple-authsecure.ga # Reference: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ # Reference: https://app.any.run/tasks/54a21ac9-f915-4556-8800-6f384fbbc6be/ # Reference: https://app.any.run/tasks/50eb1524-d95b-481e-b9d1-766c0a1fda74/ # Reference: https://app.any.run/tasks/396ccb39-ca44-4ae9-8584-96a8093ffc31/ # Reference: https://app.any.run/tasks/9abe2703-3750-4728-a932-129177b2a72a/ nethostnet.com hostsvcnet.com etcrem.net movieultimate.com newfilmts.com fastdataexchange.org liveweatherview.com analyticsbar.org analyticstest.net lifeofmentalservice.com meteost.com righttopregnantpower.com kiteim.org adobe-flash-updates.org generalsecurityscan.com globalresearching.org lvueton.com audiwheel.com online-reggi.com fsportal.net netcorpscanprotect.com mvband.net mvtband.net viters.org treepastwillingmoment.com sendmevideo.org satellitedeluxpanorama.com ppcodecs.com encoder-info.tk wmdmediacodecs.com postlkwarn.com shcserv.com versiontask.com webcdelivery.com miropc.org securityprotectingcorp.com uniquecorpind.com appexsrv.net adobeupgradeflash.com # Reference: https://twitter.com/DrunkBinary/status/1032706788678950914 unimarkstamp.com tvopen.online ndsee.org lowprt.org evbrax.org fbcdn.store # Reference: https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/ my-iri.org hudsonorg-my-sharepoint.com senate.group adfs-senate.services adfs-senate.email office365-onedrive.com # Reference: https://threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/ # Reference: https://app.any.run/tasks/516fee6f-1b98-40d2-8dd1-65b9c79bd05e/ # Reference: https://app.any.run/tasks/41b1658f-1bb2-4891-8053-9401706b3ff7/ # Reference: https://app.any.run/tasks/09da60cd-710f-4466-9942-c4eb4862e7fb/ # Reference: https://app.any.run/tasks/d6a8d1db-52c8-4371-b6d3-bf740408bb10/ # Reference: https://app.any.run/tasks/516fee6f-1b98-40d2-8dd1-65b9c79bd05e/ # Reference: https://app.any.run/tasks/c841c920-8d04-4164-9e22-a288fb6f91d3/ webversionact.org cdnverify.net nomartung.org mdcrewonline.com supservermgr.com europehistoricalmuseum.com vermasterss.com webviewres.net funnymems.com satellitedeluxpanorama.com space-delivery.com nanetsdeb.com fastphotobucket.com myinvestgroup.com travelbern.com rapidfileuploader.org viters.org mvtband.net wmdmediacodecs.com spelns.com lgemon.org lowprt.org acrobatportable.com evbrax.org gtranm.com reportscanprotecting.org runvercheck.com remsupport.org noticermk.com globaltechresearch.org joshel.com applecloudupdate.com akamaisoftupdate.com wsusconnect.com apptaskserver.com appservicegroup.com ppcodecs.com dateosx.com dowssys.com mvsband.com microsoftstoreservice.com microsoftdccenter.com dvsservice.net dvsservice.com akamaitechupdate.com adobeupdatetechnology.com # Reference: https://www.virustotal.com/#/ip-address/52.28.203.25 updmanager.com microsoftdriver.com windowsappstore.net # Reference: https://github.com/eset/malware-ioc/blob/master/sednit/part2.adoc 1oo7.net akamaisoft.com cloudflarecdn.com driversupdate.info kenlynton.com microsoftdriver.com microsofthelpcenter.info nortonupdate.org softwaresupportsv.com symantecsupport.org updatecenter.name updatesystems.net updmanager.com windowsappstore.net ciscohelpcenter.com microsoftsupp.com timezoneutc.com inteldrv64.com advpdxapi.com # Reference: https://github.com/eset/malware-ioc/blob/master/sednit/part1.adoc aljazeera-news.com ausameetings.com bbc-press.org cnnpolitics.eu dailyforeignnews.com dailypoliticsnews.com defenceiq.us defencereview.eu diplomatnews.org euronews24.info euroreport24.com kg-news.org military-info.eu militaryadviser.org militaryobserver.net nato-hq.com nato-news.com natoint.com natopress.com osce-info.com osce-press.org pakistan-mofa.net politicalreview.eu politicsinform.com reuters-press.com shurl.biz stratforglobal.net thediplomat-press.com theguardiannews.org trend-news.org unian-news.info unitednationsnews.eu virusdefender.org worldmilitarynews.org worldpoliticsnews.org worldpoliticsreviews.com worldpostjournal.com swsupporttools.com capisp.com dataclen.org mscoresvw.com windowscheckupdater.net acledit.com biocpl.org wscapi.com tabsync.net storsvc.org winupdatesysmic.com # Reference: https://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf northropgrumman.org.uk counterterorexpo.com nato.nshq.in bostondynamlcs.com natoexhibitionff14.com vice-news.com world-oil-company.com hushmali.com mfanews.info azureon-line.com us-mg6mail-service.com mail.telecharger-01.com ns1.mfanews.org updatepc.org ya-support.com changepassword-hotmail.com mail.sofexjordanx.com kavkazcentr.info webmail.windows-updater.com abbott-export.com mfapress.com www.eurosatory-2014.com yavuz16.org mfauz.com mrthelp.org egreetingsfrom.us kitegacc.net kitegacc.com mail.rnil.am hothookup.net netschecker.com webmail-saic.com intuitstatistics.info flickr-service.com n0vinite.com assaas.org rnil.cl helpfromhome.co gdforum.net set121.com academl.com changepassword-yahoo.com greetingcardproject.com adawareblock.com securitypractic.com rnil.am ya-login.com mx1.g0b.mx product-update.com memoinfo.ru privacy-live.com tolonevvs.com us-westmail-undeliversystem.com test.chmail.in kakashka.chmail.in gov.hu.com us-mg6-transfermail-service.com us-mg6-mailreport.com aadexpo2014.co.za www.gdforum.info militaryinf.com valuetable.hk googlesetting.com hotmail-monitor.com junlper.net www.ya-support.com g-analytics.net www.sofexjordanx.com privacy-yahoo.com yahoo.chmail.in windous.kz youtubeclip.org aa.69.mu qov.hu.com vvorthyhands.org dkvnz.com mail.account-flickr.com bulletin-center.com yovtube.co skidkaturag.com defenceiq.us mail-google.info soft-storage.com clickchekkker.com intuitanalys.com sofexjordanx.com intuitstatistic.com militaryexponews.com caciltd.com windows-updater.com mail.securitypractic.com www.surll.me heidelberqcement.com armypress.org sweetcherry.org account-flickr.com setnewpass-yahoo.com scanmalware.info greetingcardsproject.com q0v.pl link-google.com www.forsvaret.co link-google.com cubic.com.co mail.mrthelp.org www.us-mg7mail-transferservice.com vvorthyhands.org www.vljaihln.com ifcdsc.org smigroup-online.co.uk 100plusapps.com pruintco.com www.yahoo-monitor.com www.chmail.in litu.su www.dkvnz.com mail.yahoo-monitor.com us-mg7mail-transferservice.com evrosatory.com wind0ws.kz farnboroughair2014.com mfa-gov.info y-privacy.com login-osce.org helpmicrosoft.net sofexjordan2014.com malwarecheck.info update-hub.com mx3.set121.com srv-yahoo.com us-westmail-undeliversystem.com bostondyn.com aerospacesystem.us.com eurosatary.com telecharger-01.com chmali.ir privacy.google-settings.com yandex-site.com www.7daysinabudhabi.org www.account-flickr.com google-settings.com ns1.greetingcardproject.com eurosator.com update-zimbra.com asisonlline.org mfapress.org ya-login.com stockliquidationgroup.com pasport-yandex.com konami-game.com www.adawareblock.com persa124.in eurosatory-2014.com clickchekker.com al-wayi.com molodirect.net com-0cd.net us-mg6mailyahoo.com finance-reports.everyday.com-w13.net apple-iclouds.com unizg.net mfanews.org mail.ya-support.com checkmalware.org geaviations.com flashsecurity.org imperialc0nsult.com cublc.com evronaval.com xuetue2013.com www.valuetable.hk mail.chmail.in nshq.in forsvaret.co in-eternal-memory-of.com www.us-westmail-undeliversystem.com gdforum.info sex-toy-shop.org novinitie.com yahoo-monitor.com standartnevvs.com pornforyou.in mail.q0v.pl mail.windows-updater.com allcashin.com changepassword-yahoo.com arnf.bg gpwpl.com updateapi.longmusic.com chmail.in brokersads.com testservice24.net kavkazjlhad.com livemicrosoft.net surll.me accesd-de-desjardins.com mail.hushmali.com sunmicrosystem.info bytly.org mx.rnil.cl poczta.mon.q0v.pl ns.mfanews.org 7daysinabudhabi.org privacy-hotmail.com ns1.al-wayi.com ecards-yahoo.com eurosatory2014.com yahoo-analytics.com www.srv-yahoo.com set133.com # Reference: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html # Reference: https://otx.alienvault.com/pulse/55346adeb45ff536ca3ffd2c/ updatecenter.name securitypractic.com pass-google.com drivers-update.info nato-press.com # Reference: https://www.symantec.com/security_response/writeup.jsp?docid=2016-031520-4610-99&tabid=2 azureon-line.com mozilla-plugins.com mozillaplagins.com # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/ microsoftstoreservice.com servicetlnt.net windowsdefltr.net appexsrv.net securityprotectingcorp.com uniquecorpind.com versiontask.com # Reference: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf secao.org ikmtrust.com sysanalyticweb.com lxwo.org jflynci.com remotepx.net rdsnets.com rpcnetconnect.com webstp.com elaxo.org # Reference: https://twitter.com/Bank_Security/status/1048113406597910528 # Reference: https://www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf bbcweather.org beststreammusic.com brownvelocity.org bulgariatripholidays.com coindmarket.com creekcounty.net daysheduler.org escochart.com fnbcorporate.co.za fundseats.com genericnetworkaddress.com georgia-travel.org globaltechengineers.org iboxmit.com loungecinemaclub.com malaytravelgroup.com moderntips.org moldtravelgroup.com narrowpass.net picturecrawling.com pointtk.com politicweekend.com powernoderesources.com protonhardstorage.com thepiratecinemaclub.org topcinemaclub.com truefashionnews.com virtsvc.com worldimagebucket.com # Reference: https://twitter.com/Jan0fficial/status/1053227074792706048 # Reference: https://pastebin.com/44bJm0Gf 185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php 45.124.132.127/action-center/centerforserviceandaction/service-and-action.php # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/ adfs.senate.group adfs-senate.email adfs-senate.services adfs.senate.qov.info chmail.ir.udelivered.tk webmail-ibsf.org fil-luge.com biathlovvorld.com mail-ibu.eu fisski.ca iihf.eu # Reference: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ 188.241.58.170/local/s3/filters.php 188.241.58.170/live/owa/office.dotm 200.122.181.25/catalog/products/books.php # Reference: https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/ 188.241.58.170/local/s3/filters.php 185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php 145.249.105.165/resource-store/stockroom-center-service/check.php 109.248.148.42/agr-enum/progress-inform/cube.php # Reference: https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/ photopoststories.com # Reference: https://asert.arbornetworks.com/lojax-fancy-since-2016/ elaxo.org hp-apps.com jflynci.com moldstream.md msfontserver.com ntpstatistics.com oiagives.com oiatribe.com peacefund.eu regvirt.com remotepx.net sysanalyticweb.com treckanalytics.com unigymboom.com visualrates.com vsnet.co webstp.com # Reference: https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf photopoststories.com proposalprogram.com # Reference: https://twitter.com/kyleehmke/status/1105151293486710785 radioplaymusicus.com servertest123.tk # Reference: https://threatconnect.com/finding-nemohost-fancy-bear-infrastructure/ # Note: SSL certificate f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94 90update.com aljazeera-news.com ambcomission.com ckgob.com connectsmd.net cryptokind.com deshcoin.com dmsclock.org dochardproofing.com driverfordell.com ebramka.info fes-auth.com hello76.com hostedopenfiles.net hostsvcnet.com intelstatistics.com kiteim.org knightconsults.com kremotevn.net lasarenas.lt lopback.com megauploadfiles.org ndsee.org nemaskalitnium.com neoderb.com netcorpscanprotect.com nethostnet.com networkfilehosting.com networkxc.net news-almasirah.net newsfromsource.com perfect-remote-service.com platnosci.biz postmarksmtp.com probenet.eu remnet.org remonitor.net remotemanagesvc.net remsvc.net rhfcoin.com sa7efa.com searchbrain.net serbview.com showitem.lt societyatcuriousteacher.com spelns.com startthedownload.com systemfromcuriousmoment.com unisecproper.org unitedprosoftcompany.org uploadsforyou.com wintwinbtc.com wmiapp.com zpfgr.com # Passive DNS for sofacy sinkhole 52.45.178.122 (on 2019-03-13) 1oo7.net 34564414564.com 5thelementq8.com 645547657668787.com access-google.com acledit.com adobeincorp.com adobeproduct.com adobeupdater.org advpdxapi.com akamaicachecdn.com akamaisoftupdate.com apple-checker.org applecloudupdate.com apple-iclods.org apple-search.info apple-uptoday.org app-submitcentre.com autoupdater.org blacktivist.info bonjourcheck.com brownvelocity.org cdnmsnupdate.com checkmalware.info checkmalware.org checkwinframe.com cleanphonetrksftware.com cloudflarecdn.com dateosx.com decisionoverpregnantroad.com dncvotebuilder.com drivers-update.info driversupdate.info dvsservice.net ecitcom.net egypressoffice.com eservicesystems.net evbrax.org extad.info extstat.info fastdataexchange.org fastfileconverter.org faststoragefiles.org fbcdn.store fsportal.net generalsecuritycorp.org globaltechresearch.org gtranm.com hubsg.net iboxmit.com iforgot-verification.com intelmeserver.com jflynci.com kenlynton.com legacydiner.org lgemon.org linuxkrnl.net log-in-osce.org login-security-center.com lowprt.org malwarecheck.info meteost.com micoft.com microsofi.org microsoftupdated.com miropc.org mlidef.com msrdr.com msrwr.com mswordupdate17.com mvband.net mvsband.com mvtband.net nanetsdeb.com naoasch.com natoexhibitionff14.com ndsee.org netcorpscanprotect.com networkschecker.net newfilmts.com nortonupdate.org noticermk.com petropershiyinukra.com pldtprv.net pointtk.com rapidfileuploader.org rdsnets.com remsupport.org reportscanprotecting.org reservecorpind.com rpcnetconnect.com runssnetworks.com runvercheck.com satellitedeluxpanorama.com scanmalware.info sdhjjekfp4k.com secao.org secnetcontrol.com securitysls.com securityupdatereport.com servicecorptech.com servicesecupdate.com servicetlnt.net service-usa-tre.info smtprelayhost.com soft-storage.com softwaresupportsv.com softwaresupportsv.name soligro.com space-delivery.com spelns.com statisticsnetworks.com supservermgr.com svit-zer.com tablebeforehelpfulperson.com testservice24.net treckanalytics.com treepastwillingmoment.com tvopen.online uber-mails.com um10eset.net umizg.org unimarkstamp.com updatepc.org updatesoftware24.com updatesvcsys.com updatesystem.info updatesystems.net vascothreatscan.org vermasterss.com viters.org watertolargeprice.com webstp.com windowsdefltr.net wmdmediacodecs.com wsusconnect.com # Passive DNS for sofacy sinkhole 52.45.178.122 (on 2020-01-14) 1oo7.net acledit.com adobeincorp.com adobeupdater.org akamaisoftupdate.com ambcomission.com analyticsrequest.com appservicegroup.com as23-updater-symantec.org bbcweather.org brownvelocity.org cdnverify.net cgna.info checkmalware.info checkmalware.org cmdswitch.xyz coindmarket.com docs77.com drivers-update.info driversupdate.info dxtveuux.com eservicesystems.net esetsmart.org eskvortsov.com experiencewithweakkid.com extstat.info fastfileconverter.org faststoragefiles.org ikmtrust.com intelmeserver.com kenlynton.com linuxkrnl.net malwarecheck.info meteost.com ministernetwork.org miropc.org msrwr.com mvband.net mysent.org nanetsdeb.com netcorpscanprotect.com nethostnet.com newfilmts.org nomartung.org ntpstatistics.com pandadefender.com powerpolymerindustry.com ppcodecs.com rapidfileuploader.org rdsnets.com reasonwithusefulpolicy.com reservecorpind.com rpcnetconnect.com scanmalware.info servicetlnt.net soft-storage.com softwaresupportsv.name soligro.com sourcerepolist.org statisticsnetworks.com streetunderrelevantpeople.com svit-zer.com systembeforeniceparent.com tablebeforehelpfulperson.com testservice24.net thepiratecinemaclub.org treepastwillingmoment.com umizg.org unimarkstamp.com updatesoftware24.com updatesystems.net varuhusmc.org virtsvc.com watertolargeprice.com # Reference: https://twitter.com/VK_Intel/status/1092324957772750848 /company-device-support/values/correlate-sec.php # Reference: https://twitter.com/Mao_Ware/status/1092797858301034496 /action-center/centerforserviceandaction/service-and-action.php # Reference: https://twitter.com/VK_Intel/status/1088145389356806146 /locale/protocol/volume.php # Reference: https://twitter.com/VK_Intel/status/1076912689119748096 /technet-support/library/online-service-description.php # Reference: https://twitter.com/VK_Intel/status/1075307666434600960 /advanced/portable_version/service.php # Reference: https://twitter.com/blackorbird/status/1107593605252677633 appleupdate.org # Reference: https://twitter.com/kyleehmke/status/1105151293486710785 radioplaymusicus.com servertest123.tk # Reference: https://twitter.com/dewan202/status/1107348923826491392 # Reference: https://www.virustotal.com/gui/ip-address/104.171.117.216/relations http://104.171.117.216 goldenbuckz.com zoomailer.org # Reference: https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ ndpmedia24.com # Reference: https://twitter.com/kyleehmke/status/1113085089909440513 historicalfilms720hd.com jazzradiostream.com rockradiostream.com msofficelab.com onlineubersplit.com renodesmart.com # Reference: https://twitter.com/VK_Intel/status/1115080282221293568 /supptech18i/suppid.php /fdfd_iunub_hhert_ps.php # Reference: https://twitter.com/Bank_Security/status/1115130011160383488 # Reference: https://pastebin.com/atN2w5SE # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt # Reference: https://otx.alienvault.com/pulse/5cab3bf39e861d5e97554699 beatguitar.com /agr-enum/progress-inform/cube.php /local/s3/filters.php /zx-system/core/main-config.php /en_action_device/center_correct_customer/drivers-i7-x86.php /db-module/version_1594/main.php /Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php /action-center/centerforserviceandaction/service-and-action.php /company-device-support/values/correlate-sec.php /SupportA91i/syshelpA774i/viewsupp.php /technet-support/library/online-service-description.php /resource-store/stockroom-center-service/check.php /technet-support/library/online-service-description.php /advance/portable_version/service.php /pkg/image/do.php # Reference: https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals/ functiondiscovery.net # Reference: https://otx.alienvault.com/pulse/5ce65ec381f415c7dc794d41 /action-center/centerforserviceandaction/service-and-action.php # Reference: https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community # Reference: https://otx.alienvault.com/pulse/5cefdae12f7645afa995961e experiencewithweakkid.com maylaytravelgroup.com reasonwithusefulpolicy.com schooltillhungryprocess.com streetunderrelevantpeople.com systembeforeniceparent.com # Reference: https://securelist.com/zebrocys-multilanguage-malware-salad/90680/ http://94.156.189.120 rammatica.com raveston.com /manual/current/symphony.php # Reference: https://twitter.com/ClearskySec/status/1139160272755744774 fatherinfriendlyroad.com guytillintelligentposition.com networkcentrals.com newstyleradio.net # Reference: https://community.riskiq.com/projects/8b14d778-99be-d744-af06-36ffc0937b38 sportever.org # Reference: https://community.riskiq.com/projects/47b45f6d-3b11-2082-0c04-dd8720fd3b67 bulgariaholidays.bg escochartzone.com thesocialstrategies.com tripadvicecommunity.com worldchanneltour.com # Reference: https://community.riskiq.com/projects/6290b968-d907-d5fb-c31e-9b7bf830ec2c golivecamp.net # Reference: https://twitter.com/VK_Intel/status/1145270462559195137 http://213.252.245.32/ControllerReset/view/register/comid/sid.php # Reference: https://twitter.com/daphiel/status/1148128770014011392 onedrv-live.com onedrive-sharedfile.com microsoft-onthehub.com my-sharepoints.com my-sharefile.com # Reference: https://www.vice.com/en_us/article/vvaxy8/evidence-linking-russian-hackers-fancy-bear-to-macron-phishing accounts-office.fr en-marche.co mail-en-marche.fr onedrive-en-marche.fr portal-office.fr # Reference: https://twitter.com/kyleehmke/status/1150834700069552130 # Reference: https://otx.alienvault.com/pulse/5d2db9cc8e1eb4d4d4be15e5 office365-osf.am office365-osi.am osfam.events osfam.team soros-my-sharepoint.com # Reference: https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ 128.199.199.187:443 167.114.153.55:443 31.220.61.251:443 82.118.242.171:443 94.237.37.28:443 # Reference: https://medium.com/@rsatter/decoding-the-gru-indictment-bfb2c08fe362 # Reference: https://otx.alienvault.com/pulse/5d88c12375a272432c4cd9ec cyb3rc.com electionleaks.com linuxkrnl.net # Reference: https://twitter.com/pancak3lullz/status/1176856452780179456 http://185.221.202.35/software-protection/app.php # Reference: https://threatconnect.com/blog/how-to-investigate-incidents-in-threatconnect/ office365-microsoft.com syrianhrc.org aljazeera-news.com unian-news.info mastconf.com farele.co mofa.farele.co yandex-control.ru pentestinglab.com accountgooogle.com accounts-gooogl.com accountsgooglemail.com afghanistanmfa.net webmail.afghanistanmfa.net akragames.net pus.akragames.net cloudmicrosoft365.com cryptogo.net #dcleaks.com gooogle-login.com gov-kw.com mail.kuwaitarmy.gov-kw.com live-settings.com login-one.com mail-hurriyet.com mailtransferservice.com newsweekadviser.com posta-hurriyet.com smtprelayhost.com unrightswire.org mx.unrightswire.org mail.unrightswire.org privacy-yandex.ru emailyandex.ru action-yandex.ru report-yandex.ru yandex-report.ru service-yandex.ru activity-yandex.ru settinqs-yandex.ru mail-service-yandex.ru int-live.com mailsettings-yandex.ru yandex-report.ru yandex-control.ru e-mail-supports.com team-google.com accounts-qooqle.com google-password.com drive-google.ga google-login.ml google-password.ml top-total.com drive-auth.com password-google.com account.password-google.com ftp.password-google.com redirect.screenameaol.com myaccountgoogle.ga markburgston.com service-yandex.ru delivery-yandex.ru settinqs-yandex.ru yandex-site.com pasport-yandex.com gdforum.net gdforum.info google-passwd.com hurriyet.org.uk # Reference: https://twitter.com/kyleehmke/status/1186114823341400064 ovhsec.com # Reference: https://meltx0r.github.io/tech/2019/10/24/apt28.html # Reference: https://otx.alienvault.com/pulse/5db2cff18faf1f1d826cd074 pavlodar.news /modules/Contact/Includes/1c.php /modules/Contact/Includes/2c.php # Reference: https://twitter.com/LastlineLabs/status/1022865021343330305 secao.com # Reference: https://twitter.com/Vishnyak0v/status/1197129423830626318 http://37.120.140.215 http://79.142.70.106 # Reference: https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf # Reference: https://otx.alienvault.com/pulse/5e1da5a3ca48088035ce6c5a # Reference: https://twitter.com/kyleehmke/status/1207779048086286336 # Reference: https://twitter.com/kyleehmke/status/1216905172305227776 cubenergy-my-sharepoint.com dpkshodnya-mysharepoint.com hudsonorg-my-sharepoint.com esco-plvnlch.com kub-gas.com kvatral95.com minjust-gov-ua.com my-ukr.net soros-my-sharepoint.com # Reference: https://twitter.com/ydklijnsma/status/1218599851669233666 184.95.51.172 liveserviceonedrive.com # pDNS 78.142.19.114 photosyncdrive.com # pDNS 80.255.3.116 gecurrenttime.com # pDNS 193.70.80.214 aeroservicemax.com # pDNS 185.141.63.103 scalingreserve.com # pDNS 109.169.15.73 ovhsec.com # pDNS 178.32.251.98 placeuntilknownparent.com # pDNS # Reference: https://twitter.com/kyleehmke/status/1286779311626870791 # Reference: https://twitter.com/kyleehmke/status/1286779313384312834 revampme.net # Reference: https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed # Reference: https://blog.angelalonso.es/2017/10/hunting-apt28-cve-2017-11292-flash.html?m=0 # Reference: https://www.virustotal.com/gui/file/362a8297a0ff603553e992626a8e28c0aa19d038557da82fe6f4526988601be7/behavior/Tencent%20HABO blackpartshare.com mountainsgide.com contentdeliverysrv.net space-delivery.com # Reference: https://doc.emergingthreats.net/bin/view/Main/2023662 gpufps.com # Reference: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more # Reference: https://otx.alienvault.com/pulse/5e736669fcc47a29220ce3f0 0x4fc271.tk 0xf4a5.tk 0xf4a54cf56.tk 546874.tk change-password.ml id24556.tk id451295.com id6589.com yahoo-change-password.com # Reference: http://www.hexcapes.com/sofacy-in-poland/ picturecrawling.com popdancestream.com webchartzone.com # Reference: https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html http://89.37.226.123/advance/portable_version/service.php # Reference: https://documents.trendmicro.com/assets/appendix_looking-into-a-cyber-attack-facilitator-in-the-netherlands.pdf # Reference: https://vxcube.com/recent-threats-ioc/5c74c73ca39bb5786f9664d3/detail aijazeera.org blu172maillive.com catholicsinaliance.org cc-yahoo-inc.org defensenews.org edit-mail-yahoo.com e-post.byegm.web.tr eservicesystems.net euroreport24.com help-yahoo-service.com int-live.com iraqinews.info itunes-helper.net live-settings.com loqin-yandex.ru mail.byegm.web.tr mail.g0v.me mailhost.university-tartu.info mailhost-ut.ee mail-hurriyet.com mail-justus.com.ua mail.kuwaitarmy.gov-kw.com mailmil.ae mail.mofa.g0v.qa mail-navy.ro mail.rsaf.qov.sa.com mail.teiecomitalia.it mfagreece.com military-info.eu mobile-sanoma.net mycloud-mail.ru nato-news.com options-mail.ru osce-info.com osce-press.com pasport-yandex.ru poczta.mon-gov.pl posta-hurriyet.com privacy-facebook.me privacy-yahooservice.com redirect2app.cf reuters-press.com rn-mail.ru service-ukr.net service-yahoo.com setting-mail.ru tbmm.qov.web.tr unbulletin.com webmail-gov.me webmail-mil.gr webmail.mofa.qov.ae worldpoliticsreviews.com wsjworld.com yahoo.securepassword.info # Reference: https://www.vkremez.com/2019/01/lets-learn-progression-of-apt28-autoit.html # Reference: https://www.virustotal.com/gui/ip-address/145.249.106.198/relations # Reference: https://www.virustotal.com/gui/ip-address/185.236.203.53/relations # Reference: https://www.virustotal.com/gui/file/5b52bc196bfc207d43eedfe585df96fcfabbdead087ff79fcdcdd4d08c7806db/detection # Reference: https://www.virustotal.com/gui/file/384c9a19dd6f0f73bee575e54801f9608883ae31db1b399a28b8cc5f7aa9a26c/detection http://80.255.6.5 http://185.236.203.53 http://194.187.249.126 http://220.158.216.127 145.249.106.198:443 185.236.203.53:443 # Reference: https://twitter.com/ShadowChasing1/status/1251164774982795266 bohack51.ddns.net # Reference: https://twitter.com/dewan202/status/1255582744110862345 # Reference: https://www.virustotal.com/gui/file/7edacdf35900e722b798dbc891159cf1ede9f6d671a86b0f01f9ef802202aa73/detection # Reference: https://www.virustotal.com/gui/ip-address/185.77.129.152/relations # Reference: https://www.virustotal.com/gui/ip-address/93.115.38.132/relations http://185.77.129.152 http://93.115.38.132 /wwpydsmrulkdp/arpz/ # Reference: https://twitter.com/Vishnyak0v/status/1257606954085646337 http://185.221.202.36 /overstock/brand.php # Reference: https://www.virustotal.com/gui/ip-address/23.227.196.215/relations http://23.227.196.215 # Reference: https://twitter.com/Vishnyak0v/status/1269651391980736513 http://185.234.52.168 /categories/buildings.php # Reference: https://app.any.run/tasks/0f0eb583-abcf-4e0f-a803-2b1d3bfdfe47/ http://89.37.226.148 # Reference: https://twitter.com/ShadowChasing1/status/1291931828723408896 # Reference: https://www.virustotal.com/gui/file/aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec/detection # Reference: https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/ # Reference: https://otx.alienvault.com/pulse/5f6a13f6bd6ff146fa3967de http://194.32.78.245 /protect/get-upd-id.php # Reference: https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF # Reference: https://otx.alienvault.com/pulse/5f3581cc4138be1d82c183b8 http://185.86.149.125 # Reference: https://www.virustotal.com/gui/file/02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea/detection http://69.90.132.215 # Reference: https://www.virustotal.com/gui/file/76f8f159637c9201e98ed1aab5e0359ea983c5cce8ced832bae13dffab0f73a8/detection bl4kj2.zapto.org # Reference: https://twitter.com/Vishnyak0v/status/1310861022954225664 # Reference: https://www.virustotal.com/gui/file/7f698295230f59c7ca8193322eb48d71cd203f3675139f2da99e326589bfdad3/detection # Reference: https://www.virustotal.com/gui/file/e23b7a912f6bd16d634a1acce41922f277242ec8ab9c354754b5e97a0bab85d0/detection http://31.7.62.103 # Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ http://185.25.50.93 http://185.25.51.114 http://185.25.51.164 http://185.25.51.198 http://185.77.129.152 http://188.241.68.121 http://194.187.249.126 http://213.103.67.193 http://213.252.244.219 http://213.252.245.132 http://220.158.216.127 http://222.15.23.121 http://46.102.152.127 http://46.183.223.227 http://80.255.6.5 http://86.105.18.106 http://86.105.18.111 http://86.106.131.177 http://89.249.65.166 http://89.249.65.234 http://89.40.181.126 http://89.45.67.153 http://93.113.131.117 http://93.113.131.155 http://93.115.38.132 /test-update-16-8852418/temp727612430/checkUpdate89732468.php /test-update-17-8752417/temp827612480/checkUpdate79832467.php /syshelp/kd8812u/protocol.php /syshelp/kd8812u/ /tech99-04/litelib1/setwsdv4.php /tech99-04/litelib1/ /setwsdv4.php /techicalBS391-two/supptech18i/suppid.php /get-help-software/get-app-c/error-code-lookup.php /srv_upd_dest_two/destBB/en.php /stream-upd-service-two/definition/event.php /wWpYdSMRulkdp/arpz/MsKZrpUfe.php /update/dB-Release/NewBaseCheck.php /database-update-centre/check-system-version/id=18862.php /security-services-DMHA-group/info-update-version/id77820082.php /ghflYvz/vmwWIdx/realui.php /client-update-info/version-id/version333.php /cumulative-security-update/Summary/details.php /search-release/Search-Version/crmclients.php /setting-the-os-release/Support-OS-release/ApiMap.php /search-sys-update-release/base-sync/db7749sc.php /db7749sc.php /gft_piyes/ndhfkuryhs09/fdfd_iunb_hhert_ps.php /ndhfkuryhs09/ /fdfd_iunb_hhert_ps.php /services-check-update/security-certificate-11-554/CheckNow864.php /CheckNow864.php /daily-update-certifaicates52735462534234/update-15.dat/ /LoG-statistic8397420934809/date-update9048353094c/StaticIpUpdateLog23741033.php /StaticIpUpdateLog23741033.php /apps.update/DetailsID/clientPID-118253.php /data-extract/timermodule/update-client.php /debug-info/pluginId/CLISD1934.php /ram-data/managerId/REM1234.php /versionID/Plugin0899/debug-release01119 /UpdateCertificate33-33725cnm^BB/CheckerNow-saMbA-99-36^11/CheckerSerface^8830-11.php /srvSettings/conf4421i/ /srvSettings/conf4421i/support.php /SupportA91i/syshelpA774i/ /SupportA91i/syshelpA774i/viewsupp.php /clientid-and-uniqued-r2/the-differenceU/Events76.php /int-release/check-user/userid.php /guard-service/Servers-ip4/upd-release /verification-online/service.911-19/check-verification-88291.php /grenadLibS44-two/fIndToClose12t3/sol41.php /supportfsys/t863321i/func112SerErr.php /func112SerErr.php /KB7735-9927/security-serv/opt.php /Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php /wWpYdSMRulkdp/arpz/MsKZrpUfe.php /wWpYdSMRulkdp/arpz/ /wWpYdSMRulkdp/ /MsKZrpUfe.php # Reference: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b # Reference: https://otx.alienvault.com/pulse/5f9b0ac2ac1088826c07eb3b # Reference: https://www.virustotal.com/gui/file/2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8/detection # Reference: https://www.virustotal.com/gui/file/0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1/detection 23.200.147.10:80 # Reference: https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/ # Reference: https://otx.alienvault.com/pulse/5fd10cde3563e4121cbab5c7 support-cloud.life /managment/cb-secure/technology.php /technet-support/library/online-service-description.php # Reference: https://twitter.com/Arkbird_SOLG/status/1336834398784786432 http://185.77.131.110 http://46.183.218.34 http://80.255.12.252 http://92.114.92.128 drive365us.com # Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz # Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz baltichost.org # Reference: https://twitter.com/RedDrip7/status/1362343352759250946 # Reference: https://otx.alienvault.com/pulse/602fe96189be26708dfafe17/ # Reference: https://www.virustotal.com/gui/file/1dd03c4ea4d630a59f73e053d705185e27e2e2545dd9caedb26a824ac5d11466/detection # Reference: https://www.virustotal.com/gui/file/3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811/detection c4csa.org/includes/sources/felims.php xbhp.com/dominargreatasianodyssey/wp-content/plugins/akismet/style.php # Reference: https://twitter.com/cluster25_io/status/1400467624912318470 # Reference: https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf (# SkinnyBoy) # Reference: https://www.virustotal.com/gui/ip-address/194.33.40.72/relations # Reference: https://www.virustotal.com/gui/ip-address/5.149.253.45/relations getstatpro.com updaterweb.com # Reference: https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/ # Reference: https://otx.alienvault.com/pulse/60eff240c7c9cb4f24907049 # Reference: http://report.threatbook.cn/ST.pdf 000000027.xyz 1000018.xyz 1000020.xyz 1221.site 15052021.space 1681683130.website 16868138130.space 1833.site 2055.site 2215.site 2f9348243249382479234343284324023432748892349702394023.xyz 32689657.xyz 32689658.xyz 33655990.cyou 29572459487545-4543543-543534255-454-35432524-5243523-234543.xyz 4895458025-4545445-222435-9635794543-3242314342-234123423728.space 512521525-5245451515-985978774-2341235146436.xyz 9348243249382479234343284324023432748892349702394023.xyz 9832473219412342343423243242364-34939246823743287468793247237.site 99kg.site coronavirus5g.site name1d.site name4050.com # Reference: https://www.virustotal.com/gui/ip-address/45.146.164.37/relations # Reference: https://www.virustotal.com/gui/file/b72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939/detection 150520212.space 150520213.space 32689659.xyz 99996665550.fun getvps.site # Reference: https://twitter.com/billyleonard/status/1446226367008313344 great-site.net service-reset-password-moderate-digital.rf.gd reset-service-identity-mail.42web.io digital-email-software.great-site.net # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_APT28.json cdn-nrdata.live checklogin.in ciscosupports.com dancemusicstream.com doorbehindentirerelationship.com familynearbysuitablenumber.com groupsincevisibleend.com hostapp.link hourduringstrictsense.com memcached.in msrole.com nationalzonehouse.com outlook-update.live powerfromfamousbank.com systembetweendifficultquality.com utmserver.com # Reference: https://twitter.com/billyleonard/status/1482034733072752640 consumerpanel.eu3.biz consumerpanel.eu3.org consumerspanelsrv.eu3.org protectpanel.eu3.biz updateservicecenter.blogspot.com # Reference: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html # Reference: https://www.virustotal.com/gui/file/1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40/detection jimbeam.live wordkeyvpload.net wordkeyvpload.org # Reference: https://blog.bushidotoken.net/2022/01/tracking-renewable-energy-intelligence.html # Reference: https://otx.alienvault.com/pulse/61e6de4edebb498761384f2a alphabitconsulting.com armaghanteb.com centralinsumos.com.bo cercoselectricos.cl englishlessons-houston.com flammaautomoveis.com.br primage.com.br pwametalurgica.com.br quadteximagery.com saleswarriorinc.com saojoaodaurtigars.com.br # Reference: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/ consumerspanel.frge.io hatdfg-rhgreh684.frge.io id-unconfirmeduser.frge.io ua-consumerpanel.frge.io # Reference: https://cert.gov.ua/article/40102 (Ukrainian) eo2mxtqmeqzafqi.m.pipedream.net # Reference: https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/ # Reference: https://cert.gov.ua/article/341128 (# Ukrainian) # Reference: https://www.virustotal.com/gui/file/daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01/detection kitten-268.frge.io kompartpomiar.pl/grafika/ # Reference: https://twitter.com/teamcymru_S2/status/1540390953516765185 caribou-forge-server.new.c66.me monkey-129.getforge.site # Reference: https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ 9b5uja.am.files.1drv.com kdmzlw.am.files.1drv.com # Reference: https://www.virustotal.com/gui/file/87f363afc9778efc78dd3e0ced112d8d66a09a8924091f0927ed02a7b64850d2/detection http://109.248.148.42 # Reference: https://twitter.com/angel11VR/status/1636474327926206470 # Reference: https://pastebin.com/FJDa0MA8 http://85.195.206.7 85.195.206.7:445 # Reference: https://twitter.com/RedDrip7/status/1640342052327108609 # Reference: https://www.virustotal.com/gui/file/ece085c17ac5e822b78c533366e725bc845e215dcda78c0502ebd7f33ccb06ed/detection http://5.199.162.132 5.199.162.132:445 # Reference: https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/ # Reference: https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/ http://101.255.119.42 http://113.160.234.229 http://168.205.200.55 http://181.209.99.204 http://185.132.17.160 http://213.32.252.221 http://24.142.165.2 http://42.98.5.225 http://61.14.68.33 http://69.162.253.21 http://69.51.2.106 http://82.196.113.102 101.255.119.42:445 113.160.234.229:445 168.205.200.55:445 181.209.99.204:445 185.132.17.160:445 213.32.252.221:445 24.142.165.2:445 42.98.5.225:445 61.14.68.33:445 69.162.253.21:445 69.51.2.106:445 82.196.113.102:445 # Reference: https://twitter.com/StopMalvertisin/status/1653441365496459270 # Reference: https://cert.gov.ua/article/4492467 (Ukrainian) mockbin.org/bin/4aa17a07-7635-4ee0-9f3a-449fcd91f342 mockbin.org/bin/b8427b58-7497-46cd-a5b2-6ff6a40b4592 mockbin.org/bin/e8bfd045-2b14-4afc-9372-b723f7d76918 run.mocky.io/v3/1e88179a-3105-4a5c-9eb3-aebea36e9c21 run.mocky.io/v3/3b44f33d-b6e5-4ec6-b120-99b6ac52f74b run.mocky.io/v3/a261411d-b869-4877-86f5-307e32ed6afa run.mocky.io/v3/a4b6625c-226e-4dbc-baec-1dbd854b8015 run.mocky.io/v3/acea62da-ca05-46d1-bb80-0b036af7467c run.mocky.io/v3/ef206b51-4cf4-4c93-90bf-1e66673315b0 run.mocky.io/v3/ef4c7798-fc09-42cd-8431-91a22d5728d9 # Reference: https://twitter.com/cyber__sloth/status/1677068498625867777 # Reference: https://twitter.com/Cyber0verload/status/1677361473427841029 # Reference: https://www.virustotal.com/gui/file/4df72b051d8e3b97640ea3819da75ffb34df75aeb40403edb3e8482a8465dfab/detection 62.4.36.126:8880 # Reference: https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/ # Reference: https://otx.alienvault.com/pulse/64676e2dffb6057207af2037 config-panel.frge.io packinstall.kozow.com panelunregistertle-348.frge.io setnewcred.ukr.net.frge.io settings-panel.frge.io smtp-relay.frge.io ukrprivacysite.frge.io # Reference: https://cert.gov.ua/article/5105791 (Ukrainian) 37.191.122.186:3578 _.ukr.net.frge.io eopkne8kapj01xi.m.pipedream.net eos93vb2cwsu3xf.m.pipedream.net mail-gov-ua.frge.io setnewcred.ukr.net.frge.io # Reference: https://cert.gov.ua/article/39253 (Ukrainian, #UAC-0094) # Reference: https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/ # Reference: https://otx.alienvault.com/pulse/64403596d7a47d80451657c3 # Reference: https://www.virustotal.com/gui/ip-address/193.106.191.202/relations # Reference: https://www.virustotal.com/gui/ip-address/45.150.67.87/relations ohsxy.com telsec.org org.ohsxy.com security.ohsxy.com telegram.org.ohsxy.com org.security.ohsxy.com security-check.telegram.org.ohsxy.com telegram.org.security.ohsxy.com chatgpt4beta.com cpcpipe.com cpcpipe.org masterofdigital.org robot-876.frge.io setnewcreds.ukr.net.frge.io telegram.org.4234e8234ad0f.24o1.com ukroboronprom.com.ukr.pm ukrprivatesite.frge.io # Reference: https://cert.gov.ua/article/4905829 (Ukrainian) aneria.net armpress.net ceriossl.info fountainrate.com global-news-world.com global-world-news.net lonejade.com modeselling.com oncetrips.com vtxhospital.com ns1.fountainrate.com ns1.lonejade.com ns1.modeselling.com ns1.oncetrips.com ns1.vtxhospital.com ns2.fountainrate.com ns2.modeselling.com ns2.oncetrips.com ns2.vtxhospital.com # Reference: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week # Reference: https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ # Reference: https://twitter.com/Jane_0sint/status/1698702459739255016 # Reference: https://twitter.com/drb_ra/status/1696958416516759956 # Reference: https://twitter.com/Joseliyo_Jstnk/status/1730631107899437490 # Reference: https://twitter.com/Joseliyo_Jstnk/status/1730631116564951437 # Reference: https://twitter.com/Joseliyo_Jstnk/status/1730631107899437490 # Reference: https://twitter.com/Joseliyo_Jstnk/status/1730631116564951437 # Reference: https://otx.alienvault.com/pulse/6579b53c00375a2dcfaaf952 # Reference: https://app.any.run/tasks/aa73504a-563a-4dd7-8724-3afe54de02f2/ # Reference: https://www.virustotal.com/gui/file/2ac6735e8e0b23b222161690adf172aec668894d170299e9ff2c54a4ec25b1f4/detection # Reference: https://www.virustotal.com/gui/file/d37779e16a92da7bd05eae50c64b36e2e2022eb441382be686fda4dbd1800e90/detection # Reference: https://www.virustotal.com/gui/file/2ac6735e8e0b23b222161690adf172aec668894d170299e9ff2c54a4ec25b1f4/detection # Reference: https://www.virustotal.com/gui/file/d37779e16a92da7bd05eae50c64b36e2e2022eb441382be686fda4dbd1800e90/detection http://50.173.136.70 50.173.136.70:445 89.96.196.150:8080 document-c.infinityfreeapp.com downloaddoc.infinityfreeapp.com downloadfile.infinityfreeapp.com downloadingdoc.infinityfreeapp.com downloadingf.infinityfreeapp.com opendoc.infinityfreeapp.com opendocument.infinityfreeapp.com /execdwn.php /filedwn.php /execdwn.php?id= /filedwn.php?id= # Reference: https://twitter.com/BushidoToken/status/1740431013397078407 # Reference: https://twitter.com/k3yp0d/status/1752285465284170186 # Reference: https://cert.gov.ua/article/6276894 # Reference: https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/ http://194.126.178.8 http://88.209.251.6 194.126.178.8:445 czyrqdnvpujmmjkfhhvs4knf1av02demj.oast.fun czyrqdnvpujmmjkfhhvsclx05sfi23bfr.oast.fun czyrqdnvpujmmjkfhhvsgapqr3hclnhhj.oast.fun czyrqdnvpujmmjkfhhvsvlaax17vd5r6v.oast.fun e-nas.firstcloudit.com gcsd.firstcloudit.com nas-files.firstcloudit.com presidencia-docs.firstcloudit.com sgg-gov.firstcloudit.com ua-calendar.firstcloudit.com # Reference: https://twitter.com/h2jazi/status/1749489799184937094 # Reference: https://www.virustotal.com/gui/file/8d6a24eac7a90860edaf6721856ff11ce0cff9dd3dc9c2b546a3fdf9d15be4ed/detection # Reference: https://www.virustotal.com/gui/file/a5418213e34f81913726f19cdeefa8d9e3d425a8786eda086e56faacea1372ae/detection 202.55.80.225:35770 # Reference: https://twitter.com/felixaime/status/1760750756699812296 # Reference: https://www.virustotal.com/gui/ip-address/86.123.151.53/relations 86.123.151.53:4430 xfgjgjkuykykgihguifdt.mywire.org # Reference: https://twitter.com/MavericksInt/status/1765783346519425331 # Reference: https://www.virustotal.com/gui/file/ca5dd056e948b1d25bda3a96a0bc6001e20ef20c9516c86718e41817943400fa/detection # Reference: https://www.virustotal.com/gui/file/aef94d2451e1eb943d2b1ee5ed48d923ffff4baeb0d26ebe4450d6e151bf28c8/detection # Reference: https://www.virustotal.com/gui/file/7bed81cbbc5d368beb4531a373bad5a38aef7947f565048ad4ba597a821897c6/detection 163.172.67.233:5000 webhook.site/92a1c89c-c371-4b93-a91c-cb0d61b3432d # Reference: https://twitter.com/Joseliyo_Jstnk/status/1769699442045657261 # Reference: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/ # Reference: https://www.virustotal.com/gui/file/18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6/detection # Reference: https://www.virustotal.com/gui/file/40a7fd89b9e51b0a515ac2355036d203357be90a2200b9c506b95c12db54c7aa/detection # Reference: https://www.virustotal.com/gui/file/451f3d427ac21632f38619ef96dece25798918866d44fe82ff1ed30996f998dc/detection # Reference: https://www.virustotal.com/gui/file/64b0037dde987c78edf807a1bd7f09cdfac072ec2a59954cc4918828b7e608a3/behavior 148.252.42.42:54467 172.114.170.18:55155 194.126.178.8:55555 calendar-ua.firstcloudit.com calendarua.firstcloudit.com dls-gov.firstcloudit.com e-gov-am.firstcloudit.com e-gov.firstcloudit.com e-military.firstcloudit.com e-mod.firstcloudit.com e-presidencia.firstcloudit.com eecommission-drive.firstcloudit.com eecommission.firstcloudit.com emod.firstcloudit.com files-presidencia.firstcloudit.com info-mod.firstcloudit.com kzgw-wody.firstcloudit.com mfa-files.firstcloudit.com militarysupport.firstcloudit.com presidencia-files.firstcloudit.com presidencia-gob.firstcloudit.com presidencia-gov.firstcloudit.com rada-zakon.firstcloudit.com sgg-files.firstcloudit.com wody-info-files.firstcloudit.com webhook.site/e2831741-d8c8-4971-9464-e52d34f9d611