# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: calisto, ta446, unc3707, lostkeys, baitswitch, simplefix

# Reference: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

drive-share.live
protect-link.online
protection-office.live
proton-viewer.com

# Reference: https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign/

cache-docs.com
cloud-docs.com
docs-cache.com
docs-drive.online
docs-info.com
documents-cloud.com
documents-cloud.online
documents-pdf.online
drive-docs.com
file-milgov.systems
hypertextteches.com
office-protection.online
pdf-cloud.online
pdf-docs.online
pdf-shared.online
protectionmail.online
proton-docs.com
proton-view.online

# Reference: https://twitter.com/h2jazi/status/1538940189015429122
# Reference: https://www.virustotal.com/gui/file/7b95747eeea196c1485d089fa47a06bacb07d06399603d3a4fa153c21ce0a9ba/detection

cache-pdf.com

# Reference: https://otx.alienvault.com/pulse/6272996039678903e0b73dd5

cache-dns.com
docs-shared.com
documents-forwarding.com
documents-preview.com
protection-link.online
webresources.live

# Reference: https://twitter.com/r0ny_123/status/1549751626004500481

cache-pdf.online
documents-cloud.online
pdf-cache.online
pdf-forwarding.online
storage-service.online

# Reference: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

cache-dns-forwarding.com
cache-dns-preview.com
cache-services.live
cloud-drive.live
cloud-mail.online
cloud-storage.live
docs-forwarding.online
docs-info.online
docs-shared.online
docs-view.online
document-forwarding.com
document-online.live
document-preview.com
document-share.live
document-view.live
documents-online.live
documents-view.live
goo-link.online
mail-docs.online
office365-online.live
officeonline365.live
online-document.live
online-storage.live
online365-office.com
onlinecloud365.live
pdf-cache.com
protection-checklinks.xyz
proton-pdf.online
proton-reader.com
relogin-dashboard.online
safe-connection.online
safelinks-protect.live
secureoffice.live
word-yand.live
y-ml.co
yandx-online.cloud

# Reference: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html

goo-ink.online
hypertexttech.com
accounts.hypertexttech.com

# Reference: https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/
# Reference: https://otx.alienvault.com/pulse/6390ecc150d6fda9ab97c604

access-confirmation.com
allow-access.com
antibots-service.com
apicomcloud.com
as-mvd.ru
attach-docs.com
attach-update.com
blueskynetwork-drive.com
blueskynetwork-shared.com
botguard-checker.com
botguard-web.com
challenge-identifier.com
challenge-share.com
checker-bot.com
cija-docs.com
cija-drive.com
cloud-safety.online
cloud-us.online
default-dns.online
disk-previewer.com
dns-cache.online
dns-challenge.com
dns-cookie.com
dns-mvd.ru
docs-cache.online
docs-collector.com
docs-storage-ltd.com
docs-viewer.online
docs-web.online
document-guard.com
document-sender.com
drive-control.com
drive-defender.com
drive-global-ordnance.com
drive-globalordnance.com
drive-information.com
drive-previewer.com
drive-us.online
dtgruelle-drive.com
dtgruelle-us.com
encompass-drive.com
encompass-shared.com
filter-bot.com
global-ordnance-drive.com
goweb-protect.com
goweb-service.com
guard-checker.com
hd-centre-drive.com
hd-docs-share.com
hypertextttech.com
land-of-service.com
live-identifier.com
mvd-cloud.ru
mvd-redir.ru
network-storage-ltd.com
nonviolent-conflict-service.com
nonviolent-conflict-storage.com
online-word.com
preview-docs.com
preview-docs.online
protectedshields-storage.com
protection-web-app.com
proxycrioisolation.com
redir-document.com
response-collector.com
response-filter.com
response-mvd.ru
response-redir.com
safe-proof.com
sangrail-ltd.com
sangrail-share.com
selector-drafts.online
share-drive-ua.com
soaringeagle-drive.com
threatcenterofreaserch.com
threatcenterofresearch.com
transfer-dns.com
transfer-record.com
umo-drive.com
umopl-drive.com
umopl.com
webview-service.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-08-09-v10390/852

bittechllc.net
centeritdefcity.com
checkscreenit.com
cloudcpanelhost.com
clouddefsystems.com
cloudrootstorage.com
commandentrance.com
computertechdirectsystems.com
computingtechstudio.com
configuregatewayglobal.com
controlgatestorage.com
controlsstoragedirect.com
controlstoragesolutions.com
cryptdatagate.com
cryptotechdirect.com
cryptothistech.com
datagatellc.com
datagatewayglobal.com
datastoragecrypto.com
definform.com
deskactivitygm.com
directdocumentgate.com
directdocumentgateway.com
directexpressgateway.com
directstoragegate.com
docsinfogate.com
documentdirectllc.com
documentdirectto.com
entrywaycenter.com
gateblurbrepository.com
gatecryptospace.com
gateinfosecure.com
gatestoragetech.com
gatewaydocsint.com
gatewayitsol.com
gatewayrecord.com
gawecryptoinfosolutions.com
getinfostarter.com
incappcloud.com
infocryptogate.com
infogatestorage.com
informationcoindata.com
informationswitchsystems.com
infostorageroute.com
intelligencerepository.com
itgatestorage.com
itinfogate.com
keepitlabgroup.com
managercodepro.com
meshgoin.com
myitappnext.com
myittechnext.com
networkgoin.com
oneinformationcrypto.com
pdfdirectglobal.com
pdfsecxcloudroute.com
po.vatangate.com
prodefendme.com
prokeeperit.com
protectedviews.com
protectordocumentcenter.com
realeasyconfiguregateway.com
realitsolutionprimary.com
safetydocsgateway.com
secureglobaltele.com
serverguarditweb.com
shielditlabel.com
shortinfoonline.com
skycithereforeit.com
solutionsseccloud.com
sourcedoorway.com
sourcedoorways.com
stateinfospace.com
storagecryptogate.com
storagecryptoweb.com
storageinfogate.com
storagekeeperinfopro.com
storagekeeperinfotech.com
storagerootconnect.com
storagetruncservices.com
storagewarden.com
suppdatacent.com
truncstorage.com
vatangate.com
webgateway.ru
webgatewayenter.com
webinterstellar.com
yourdirectinfospace.com
yourspaceprotector.com

# Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/ (# SPICA backdoor)
# Reference: https://www.virustotal.com/gui/file/37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9/detection

45.133.216.15:3000

# Reference: https://medium.com/@fofabot/practical-fofa-asset-discovery-coldriver-bdb971f2413b

89.19.211.240:3000
95.164.17.94:3000

# Reference: https://x.com/alex_lanstein/status/1816306001781367143
# Reference: https://blog.strikeready.com/blog/russia-nexus-actor-targets-ukraine/
# Reference: https://cert.gov.ua/article/6280183 (# UAC-0102)
# Reference: https://www.virustotal.com/gui/ip-address/82.221.139.200/relations
# Reference: https://www.virustotal.com/gui/file/e159886a173f021b345ad152ad84beed3ac39b6a7455805c255f38d7b4c9434c/detection
# Reference: https://www.virustotal.com/gui/file/853f21ba9a8a362a9bafc98204eb70b8c23ba845359e694984711ec1485d0c2f/detection
# Reference: https://www.virustotal.com/gui/file/2f1f4b077b6fc40d8f0c995e80657448478a08acdf0e33ee2b73602bda62270c/detection
# Reference: https://www.virustotal.com/gui/file/38963b61113b7b88e3fce30539e63b4745f8d91f8e2577b6597a09648b105733/detection
# Reference: https://www.virustotal.com/gui/file/9e49db0eb920e130c0393a87c96434b9f0257025584cf546f623c1cb0b074333/detection

http://82.221.139.200
changepassword-ukr.net
kv-ukr.net
uaccsnet.com
ualogaccs.com
uasettings.com
uasetukr.com
uasystdoc.com
uasystnet.com
ukainua.com
ukenlog.com
uknetlogin.com
ukr-mails.net
ukr-reset.email
ukrsets.com
ukrsett.com
ukrstnet.com
unetset.com
accounts.kv-ukr.net
accounts.ukr-mails.net
accounts.ukr-reset.email

# Reference: https://www.virustotal.com/gui/ip-address/147.45.124.240/relations

app-sharcpoint.com
app-sharcpointe.com
app-sharcpolnt.com
app-sharcpolnte.com
appsharcpointe.com
appsharcpointes.com
appssharcpointe.com
client-serviceauth0.com
cloud-sharcpoint.com
cloud-sharcpointe.com
cloud-sharcpolnte.com
cloud-sharepolnt.com
cloudsharepolnte.com
doc-sharcpoint.com
doc-sharcpointe.com
doc-sharepointe.com
docs-sharcpoint.com
docs-sharcpointe.com
docs-sharcpolnt.com
docs-sharcpolnte.com
docs-sharepolnt.com
secureauth-login.com
secureclientauth0.com
serviceauth0.com
sharcpoint-app.com
sharcpoint-docs.com
sharcpoint-web.com
sharcpointapp.com
sharcpointe-cloud.com
sharcpointe-doc.com
sharcpointeapp.com
sharcpointecloud.com
sharcpointedoc.com
sharcpointedocs.com
sharcpointedocsapp.com
sharcpointedocuments.com
sharcpolnte-docs.com
sharcpolnte-web.com
sharepointbeagle.com
sharepointdesign.com
sharepointe-cloud.com
sharepointe-docs.com
sharepointeapp.com
sharepolnte-app.com
sharepolnte-docs.com
sharepolnte-web.com
system-sharcpoint.com
system-sharcpointe.com
web-sharcpoint.com
web-sharcpolnt.com
web-sharepolnt.com

# Reference: https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

egenre.net
eilatocare.com
esestacey.net
ideaspire.net
ithostprotocol.com
matalangit.org
togochecklist.com
vocabpaper.com
xsltweemat.org

# Reference: https://x.com/StrikeReadyLabs/status/1825638114955510014

http://82.221.130.78
ukrnetset.com

# Reference: https://www.virustotal.com/gui/ip-address/20.36.28.23/relations

ankaramuhaseben.com
bigdatabroadway.com
cityessentials.net
cloudinfodata.com
cloudithub.com
datawebhub.com
desgnspiration.net
e-fluxxsolutions.com
editablezoom.org
eichenfass.org
entheogenicmd.com
extractordraw.com
galetscryptodata.com
getfigmacreator.com
gothicshop.org
guardittech.com
helmetkup.com
imgrich.com
inrealconnect.com
instantpointzero.com
intelligentautomationalley.com
investfix.org
justapple.net
keeperdocumentllc.com
keeperitlabel.com
liquidacionesjudiciales.com
loyaltyfirst.org
mayquarkesthetic.com
mettezera.com
mtgcgroup.org
murodjonovs.com
mutualrescuebook.org
mygeiger.org
ommahat.net
osomtoys.com
owaorganizespace.com
particlesolid.org
postrequestin.com
preview-document.tech
proffsolution.com
protectionoffice.tech
pureafro.com
quantumnyx.org
riseupbit.com
setupprofi.com
sgmods.net
skeletcheck.com
skyinformdata.com
storageinformationsolutions.com
tarifjane.com
translatesplit.com
voltcloudpine.com
webfigmadesignershop.com
webitresourse.com
xacshop.com
yamaru.org

# Reference: https://x.com/StrikeReadyLabs/status/1839049108071526585
# Reference: https://strikeready.com/blog/finding-the-unknown-unknowns-part-2/
# Reference: https://app.validin.com/detail?find=82.221.139.160&type=ip4&ref_id=850ab70d5c4#tab=resolutions

accounts-ukr.com
accsua.com
accsukr.com
alightcruellane.net
data-ukr.com
localukre.com
mail-ukr-net.systems
manageukr.net
qr-logukr.com
scallopsflippant.com
seukr.net
support-ukr.com
ukr-edit.com
ukr-hub.com
ukr-mail.com
ukr-net.systems
ukr-passc.net
ukr-setting.com
ukr-site.com
ukraine-story.com
ukrlocalsystems.net
ukrmailpost.net
ukrrbox.com
ukrrr.com
uukkrr.net
verifukr.com
xe-ukr.net
xfiles-uk.net
xh-ukr.net
kinoafisha.ua.ukrrr.com

# Reference: https://x.com/knight0x07/status/1921085672661651817

mobilizationcenter.com.ua

# Reference: https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos/
# Reference: https://www.virustotal.com/gui/ip-address/165.227.148.68/relations
# Reference: https://www.virustotal.com/gui/file/4c7accba35edd646584bb5a40ab78f963de45e5fc816e62022cd7ab1b01dae9c/detection
# Reference: https://www.virustotal.com/gui/file/6b85d707c23d68f9518e757cc97adb20adc8accb33d0d68faf1d8d56d7840816/detection
# Reference: https://www.virustotal.com/gui/file/db0c45bb0861ae458d90c09a1e7108f553a147514c3e6a4721eec9a9af639870/detection

http://165.227.148.68
cloudmediaportal.com
njala.dev

# Reference: https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix

applicationformsubmit.me
blintepeeste.org
captchanom.top
documentsec.com
hazerscotomacarted.org
mediasrangylavi.org
onstorageline.com
preentootmist.org
southprovesolutions.com
viewerdoconline.com
