# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: APT29, Cozy Bear, The Dukes, WellMess, WellMail, SoreFang, PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke, CloudDuke, Midnight Blizzard, earth koshchei, cloaked ursa, cozylarch, icecap

# Reference: https://otx.alienvault.com/pulse/55fae83567db8c6fb3518bcd/
# Reference: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

nasdaqblog.net
nytunion.com
overpict.com
greencastleadvantage.com
sixsquare.net
oilnewsblog.com
grouptumbler.com
airtravelabroad.com
beijingnewsblog.net
ustradecomp.com
nestedmail.com
leveldelta.com
nostressjob.com
natureinhome.com
deervalleyassociation.com

# Reference: https://www.f-secure.com/weblog/archives/00002822.html

portal.sbn.co.th

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
# Reference: https://otx.alienvault.com/pulse/5da83c7c104ff3553f418443

acciaio.com.br
bandabonga.fr
busseylawoffice.com
ceycarb.com
coachandcook.at
ecolesndmessines.org
fairfieldsch.org
fisioterapiabb.it
lorriratzlaff.com
ministernetwork.org
motherlodebulldogclub.com
powerpolymerindustry.com
publiccouncil.org
rulourialuminiu.co.uk
salesappliances.com
sistemikan.com
skagenyoga.com
varuhusmc.org
westmedicalgroup.net

# Reference: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
# Reference: https://otx.alienvault.com/pulse/5f107c022dfb7a7c8fec7903

http://103.13.240.46
http://103.205.8.72
http://103.216.221.19
http://103.253.41.102
http://103.253.41.68
http://103.253.41.82
http://103.253.41.90
http://103.73.188.101
http://111.90.146.143
http://111.90.150.176
http://119.160.234.163
http://119.160.234.194
http://119.81.173.130
http://119.81.178.105
http://119.81.184.11
http://120.53.12.132
http://122.114.197.185
http://122.114.226.172
http://141.255.164.29
http://141.98.212.55
http://145.249.107.73
http://146.0.76.37
http://149.202.12.210
http://169.239.128.110
http://176.119.29.37
http://178.211.39.6
http://185.145.128.35
http://185.225.226.16
http://185.99.133.112
http://188.241.68.137
http://191.101.180.78
http://192.48.88.107
http://202.59.9.59
http://209.58.186.196
http://209.58.186.197
http://209.58.186.240
http://220.158.216.130
http://27.102.130.115
http://31.170.107.186
http://31.7.63.141
http://45.120.156.69
http://45.123.190.167
http://45.123.190.168
http://45.129.229.48
http://45.152.84.57
http://46.19.143.69
http://5.199.174.164
http://66.70.247.215
http://79.141.168.109
http://81.17.17.213
http://85.93.2.116

# Reference: https://twitter.com/IntezerLabs/status/1285487000091598863
# Reference: https://www.virustotal.com/gui/file/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2/detection

111.90.150.140:25

# Reference: https://twitter.com/ShadowChasing1/status/1288403929462530049
# Reference: https://www.virustotal.com/gui/file/95193266e37a3401a0becace6d41171ab2968ed5289d666043251d05552d02fc/detection

http://178.211.39.6
141.98.212.55:121

# Reference: https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/

monitor.syn.cn

# Reference: https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html

103.216.221.18:50031

# Reference: https://twitter.com/joakimkennedy/status/1303626343830167552
# Reference: https://www.virustotal.com/gui/file/ebfe9cc39dfdc1d1abe7fd4b1e248b16238234c5261610456de0317c2045555d/detection

103.253.41.102:8081

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/7c20ef1547da114c15da8dd617d22dfd5c7fb08bb9eb07e30df35834619b915a/detection

45.91.93.89:443
d1d66buv7blf1z.cloudfront.net
myrric-uses.singlejets.com
sendbits.m2stor4ge.xyz

# Reference: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
# Reference: https://otx.alienvault.com/pulse/60b689c652cd41240e77cfbe

74d6b7b2.app.giftbox4u.com
content.pcmsar.net
doggroomingnews.com
hanproud.com

# Reference: https://www.riskiq.com/blog/external-threat-management/apt29-bear-tracks/
# Reference: https://otx.alienvault.com/pulse/61090c601d7bda90aed534df
# Reference: https://www.virustotal.com/gui/file/775eff1087c9e134a370cc767aa8fee128ed0ede436a1860119bb1a5ea91111f/detection

http://103.193.4.101
http://111.90.147.248
http://111.90.151.120
http://116.202.251.49
http://116.202.251.5
http://141.255.164.11
http://141.98.214.14
http://152.44.45.10
http://152.89.160.81
http://178.157.13.168
http://185.140.55.35
http://185.207.205.174
http://193.36.116.119
http://193.36.119.162
http://193.36.119.184
http://31.13.195.210
http://37.120.247.163
http://45.124.132.10
http://45.124.132.106
http://91.132.139.195

# Reference: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ (# TrailBlazer)

satkas.waw.pl
/rainloop/forecast

# Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

porodicno.ba/wp-content/Agenda.html
wethe6and9.ca/wp-content/Agenda.html

# Reference: https://tria.ge/220721-s7pqcageb5

141.98.212.55:53
209.58.186.196:443

# Reference: https://twitter.com/WhichbufferArda/status/1581688188938358785
# Reference: https://www.virustotal.com/gui/file/56ddc93f0555b4934eef3c5ccd3cf09291240465aaccf373c28e2a0d1eb292a5/detection
# Reference: https://www.virustotal.com/gui/file/05d8b678bc3f14295fe6e8089e144b8adc622d5510e3a8fd7d0dda8f15c4bd13/detection
# Reference: https://www.virustotal.com/gui/file/6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7/detection

sinitude.com

# Reference: https://twitter.com/felixaime/status/1632448523995103232
# Reference: https://github.com/pan-unit42/tweets/blob/master/2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt

literaturaelsalvador.com/Instructions.html
literaturaelsalvador.com/Schedule.html
signitivelogics.com/BMW.html
signitivelogics.com/Schedule.html

# Reference: https://twitter.com/WhichbufferArda/status/1659254174620557314
# Reference: https://www.virustotal.com/gui/file/6e3b557b1a9c1ecd89eb3be978f8c1b775ee4822262aae9c1ee6c08399a37f73/detection

poetpages.com/pp/l4.php

# Reference: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/

gtjas.site
info.gtjas.site
1597ebba.info.gtjas.site
3bcc1bba.info.gtjas.site
7c291bbe.info.gtjas.site

# Reference: https://twitter.com/doc_guard/status/1683971701023932416
# Reference: https://twitter.com/StopMalvertisin/status/1684084388546633728
# Reference: https://www.virustotal.com/gui/file/302c0d553c9e7f2561864d79022b780a53ec0a5927e8962d883b88dde249d044/detection

sgrhf.org.pk

# Reference: https://twitter.com/RexorVc0/status/1684820825998774272
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf
# Reference: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
# Reference: https://otx.alienvault.com/pulse/64aed22c405b3e8f605125e8

easym6.com/Information.php
fondoftravel.com/contact.php
mightystake.com/sponsorship.php
reidao.com/dashboard.php
resetlocations.com/bmw.htm
sharpledge.com/login.php
simplesalsamix.com/e-yazi.html
sylvio.com.br/form.php
te-as.no/wine.php
willyminiatures.com/e-yazi.html

# Reference: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
# Reference: https://otx.alienvault.com/pulse/6511f107da5fed8d065d9477

inovaoftalmologia.com.br
kegas.id
kitaeri.com
gavice.ng/event_program.php
parquesanrafael.cl/note.html
sgrfh.org.pk/wp-content/idx.php

# Reference: https://twitter.com/h2jazi/status/1714986809229251067
# Reference: https://www.virustotal.com/gui/file/f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977/detection

d287-206-123-149-139.ngrok-free.app

# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
# Reference: https://otx.alienvault.com/pulse/657a2c924ea0e3e9e95e9433

matclick.com

# Reference: https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

103.76.128.34:8080
bringthenoiseappnew.s3.amazonaws.com
fisheries-states-codes-camps.trycloudflare.com
/ujwphtigdcokr

# Reference: https://twitter.com/SinghSoodeep/status/1763808104221737156 (# SPIKEDWINE)
# Reference: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
# Reference: https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
# Reference: https://www.virustotal.com/gui/file/a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c/detection

siestakeying.com/auth.php
waterforvoiceless.org/invite.php
waterforvoiceless.org/util.php

# Reference: https://x.com/blackorbird/status/1849713901807518125
# Reference: https://x.com/MichalKoczwara/status/1849738432823644297
# Reference: https://www.virustotal.com/gui/ip-address/162.252.175.146/relations
# Reference: https://app.validin.com/detail?find=151.236.16.138&type=ip4&ref_id=7e3792beeb8#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.149&type=ip4&ref_id=d53e5a59923#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.193&type=ip4&ref_id=d53e5a59923#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.22&type=ip4&ref_id=9a0b40a1dad#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.220&type=ip4&ref_id=d53e5a59923#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.236&type=ip4&ref_id=d53e5a59923#tab=resolutions
# Reference: https://app.validin.com/detail?find=151.236.16.245&type=ip4&ref_id=d53e5a59923#tab=resolutions
# Reference: https://app.validin.com/detail?find=174.122.28.185&type=ip4&ref_id=d394fab0bcd#tab=resolutions
# Reference: https://app.validin.com/detail?find=185.76.79.49&type=ip4&ref_id=b0d4a3c06eb#tab=resolutions
# Reference: https://app.validin.com/detail?type=ip&find=185.76.79.178#tab=resolutions
# Reference: https://app.validin.com/detail?find=185.76.79.0%2F24&type=ip&ref_id=f1bfad41f10#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/185.76.79.178/relations
# Reference: https://app.validin.com/detail?type=ip&find=2.58.201.112#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/2.58.201.112/relations
# Reference: https://app.validin.com/detail?find=45.141.58.30&type=ip4&ref_id=2f7b7741b82#tab=resolutions
# Reference: https://app.validin.com/detail?type=ip&find=45.80.193.9#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/45.80.193.9/relations
# Reference: https://app.validin.com/detail?type=ip&find=52.91.32.251#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/52.91.32.251/relations
# Reference: https://app.validin.com/detail?type=ip&find=52.91.32.251#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/84.32.188.148/relations
# Reference: https://www.virustotal.com/gui/ip-address/98.81.98.142/relations
# Reference: https://cert.gov.ua/article/6281076 (# UAC-0215)

4freerussia.cloud
accounts-google.online
actualcombine.com
admin-ch.cloud
ahmed-ms.online
aka-ms.cloud
avis-google.online
aws-app.online
aws-atshop.online
aws-cert.online
aws-cloud.online
aws-cloud.tech
aws-data.cloud
aws-devops.site
aws-exam.online
aws-il.cloud
aws-join.cloud
aws-meet.cloud
aws-meetings.cloud
aws-ms.cloud
aws-my.online
aws-online.cloud
aws-platform.cloud
aws-s3.cloud
aws-sagyo.site
aws-sample.online
aws-secure.cloud
aws-talib.online
aws-ukraine.cloud
aws-yamada.site
awsmeet.cloud
awsplatform.online
awsprotect.online
backupify.cloud
barracuda.solutions
brookings.cloud
bund-de.cloud
cabemanis-ms.online
caci.solutions
cadastros-google.online
ceip.cloud
cer.zone
cfr-aws.cloud
cod-ms.online
com-s3.cloud
commerce-mil.online
console-google.cloud
cribl-gov.cloud
crisisgroup.services
csbaonline.cloud
csu-gov.cloud
ctu-gov.cloud
defense-gouv.cloud
devops-aws.cloud
dgfip-gouv.online
dia-gov.cloud
difesa-it.cloud
dn-ms.online
drive-google.cloud
druva.cloud
dtran-ms.online
eopgov.cloud
eros-ms.online
eru-gov.cloud
europeanvalues.cloud
feedzai-gov.cloud
forces-gc.cloud
foreignhurry.com
ga-mil.online
gd-ms.cloud
gmfus.cloud
google-accs.online
google-ai.site
google-analysis.cloud
google-com.site
google-com.website
google-docs.online
google-duo.online
google-duo.site
google-map.website
google-meet.cloud
google-pesquisa.online
google-plays.site
google-playstore.online
google-sanctions.online
google-seguro.site
google-shopping.online
google-support.site
gouv-fr.cloud
gov-au.cloud
gov-aws.cloud
gov-fi.cloud
gov-gr.cloud
gov-lt.cloud
gov-lv.cloud
gov-pl.cloud
gov-sk.cloud
gov-trust.cloud
gov-ua.cloud
govbook.cloud
govdom.cloud
govista.cloud
govmr.cloud
govps.cloud
govtr.cloud
govua.cloud
hcdc-ms.online
hso-aws.cloud
iklan-google.online
jdm-s3.online
jtf-mil.online
kam-lt.cloud
learn-ms.online
lordfilm-ms.online
loreaosvault.cloud
macfound.services
mae-ro.cloud
maps-google.online
md-gov.cloud
mde-es.cloud
meet-google.cloud
mf-gov.cloud
mfa-bg.website
mfa-gov-il.cloud
mfa-gov-tr.cloud
mfa-gov.cloud
mfa-gov.online
microsoft-meeting.cloud
microsoftmeeting.cloud
mil-be.cloud
mil-commerce.online
mil-defense.online
mil-ee.cloud
mil-mza.online
mil-mza.site
mil-pl.cloud
mil-pt.cloud
mil-stat.online
mil-tek.online
mimecast.cloud
minbuza.cloud
mindef-nl.cloud
mmr-gov.cloud
mo-gov.cloud
mod-gov-il.cloud
mpo-gov.cloud
mpsv-gov.cloud
ms-aid.site
ms-antalia.online
ms-aws.cloud
ms-cabemanis.online
ms-cabemanis.site
ms-cabemanis.website
ms-clean.site
ms-company.site
ms-conference.cloud
ms-copilot.online
ms-dining.site
ms-exchange.online
ms-flamex.online
ms-gacor.online
ms-gacor.site
ms-gma.online
ms-green.online
ms-immo.online
ms-irstatic.cloud
ms-jpan.online
ms-justme.online
ms-justmetv.online
ms-labs.site
ms-legal.site
ms-log.site
ms-media.online
ms-meeting.com
ms-meeting.online
ms-meetings.online
ms-menu.online
ms-mfa.online
ms-moviez.site
ms-mu.online
ms-nas.online
ms-offce.online
ms-oiffce.online
ms-oiffice.online
ms-ok.site
ms-org.tech
ms-paint.online
ms-perry.online
ms-pmr.online
ms-raskion.online
ms-review.site
ms-rp.site
ms-sami.tech
ms-schaefer.online
ms-scribe.online
ms-secure.cloud
ms-security.online
ms-sign.site
ms-store.cloud
ms-tcentr.online
ms-toto.online
ms-toto.site
ms-wow.online
msconferences.cloud
msmt-gov.cloud
msz-pl.cloud
mv-gov.cloud
my-gov.cloud
mzd-gov.cloud
mze-gov.cloud
mzp-gov.cloud
mzv-cz.cloud
mzv-gov.cloud
mzv-sk.cloud
nakit-gov.cloud
nbu-gov.cloud
nore-aws.online
nukib-gov.cloud
oktacloud.us
opennet.solutions
otzyv-ms.online
parseccomputer.cloud
photos-google.online
photos-ms.online
playstore-google.online
policie-gov.cloud
polycom.solutions
porno-google.online
raq-ms.online
red-ms.online
s3.army
s3-acronis.cloud
s3-army.cloud
s3-atlassian.cloud
s3-aws.cloud
s3-bah.cloud
s3-be.cloud
s3-blackberry.cloud
s3-cloud.us
s3-csis.cloud
s3-de.cloud
s3-dgap.cloud
s3-dk.cloud
s3-dnc.cloud
s3-esa.cloud
s3-fbi.cloud
s3-hudson.cloud
s3-ida.cloud
s3-iri.cloud
s3-knowbe4.cloud
s3-marcus.cloud
s3-monitoring.cloud
s3-nato.cloud
s3-ned.cloud
s3-nsa.cloud
s3-proofpoint.cloud
s3-pt.cloud
s3-rackspace.cloud
s3-rand.cloud
s3-spacex.cloud
s3-state.cloud
s3-stig.cloud
s3-ua.cloud
s3-ucia.cloud
s3-zoho.cloud
secretiveleap.com
secured-ms.online
servicenowinc.us
shaines-aws.online
sisaf-ms.online
ssi-gouv.cloud
statecloud.us
stratfor.cloud
support-google.cloud
swcloud.us
symbolsecurity.cloud
tk-ms.online
trentry-ms.online
ua-aws.army
ua-energy.cloud
ua-gov.cloud
ua-mil.cloud
ua-se.cloud
ua-sec.cloud
ua-sn.cloud
ukrtelecom.cloud
uohs-gov.cloud
uoou-gov.cloud
us-mil.cloud
usaid.cloud
usip.us
vibrant-ms.online
vikas-aws.online
visit-ms.online
vlada-gov.cloud
voa-gov.cloud
webdox-aws.online
wilsoncenter.cloud
wrapsnet.cloud
zero-trust.solutions
adm.govua.cloud
ca-central-1.awsplatform.online
ca-west-1.mfa-gov.cloud
central-2-aws.ua-aws.army
eu-central-1-aws.govua.cloud
eu-central-1-aws.mfa-gov.cloud
eu-central-1.mfa-gov.cloud
eu-central-1.ukrtelecom.cloud
eu-central-2-aws.ua-aws.army
eu-north-1-aws.ua-energy.cloud
eu-north-1-aws.ua-gov.cloud
eu-south-1-aws.mfa-gov.cloud
eu-south-2-aws.mfa-gov.cloud
eu-southeast-1-aws.gov-ua.cloud
eu-southeast-1-aws.govtr.cloud
eu-southeast-1-aws.zero-trust.solutions
kmu.govua.cloud
mx.ceip.cloud
ns1.actualcombine.com
ns1.foreignhurry.com
ns1.secretiveleap.com
ns2.actualcombine.com
ns2.foreignhurry.com
ns2.secretiveleap.com
pdv.govua.cloud
us-east-1-aws.mfa-gov.cloud
us-east-2-aws.ua-gov.cloud
us-east-console.awsplatform.online
us-west-1-amazon.ua-energy.cloud
us-west-1.aws-ukraine.cloud
us-west-1.ua-aws.army
us-west-1.ukrtelecom.cloud
us-west-2-aws.mfa-gov.cloud

# Reference: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

amazonsolutions.cloud
dep-no.cloud
gv-at.cloud
ncfta.cloud
presidencia-pt.cloud
quirinale.cloud
regeringskansliet-se.cloud
ukrainesec.cloud
ap-northeast-1-aws.s3-ua.cloud
ap-northeast-1-aws.ukrainesec.cloud
ca-central-1.gov-ua.cloud
ca-central-1.ua-gov.cloud
ca-west-1.aws-ukraine.cloud
ca-west-1.ukrtelecom.cloud
central-2-aws.ua-mil.cloud
central-2-aws.ua-sec.cloud
central-2-aws.ukrainesec.cloud
central-2-aws.ukrtelecom.cloud
eu-central-1-aws.amazonsolutions.cloud
eu-central-1-aws.dep-no.cloud
eu-central-1-aws.gov-pl.cloud
eu-central-1-aws.gov-sk.cloud
eu-central-1-aws.gov-trust.cloud
eu-central-1-aws.minbuza.cloud
eu-central-1-aws.mindef-nl.cloud
eu-central-1-aws.msz-pl.cloud
eu-central-1-aws.mzv-sk.cloud
eu-central-1-aws.ncfta.cloud
eu-central-1-aws.presidencia-pt.cloud
eu-central-1-aws.quirinale.cloud
eu-central-1-aws.regeringskansliet-se.cloud
eu-central-1-aws.s3-be.cloud
eu-central-1-aws.s3-ua.cloud
eu-central-1-aws.ua-gov.cloud
eu-central-1-aws.ukrainesec.cloud
eu-central-1.difesa-it.cloud
eu-central-1.mil-be.cloud
eu-central-1.mil-pl.cloud
eu-central-1.minbuza.cloud
eu-central-1.mindef-nl.cloud
eu-central-1.msz-pl.cloud
eu-central-1.quirinale.cloud
eu-central-1.regeringskansliet-se.cloud
eu-central-1.s3-be.cloud
eu-central-1.s3-esa.cloud
eu-central-1.s3-nato.cloud
eu-central-1.ua-gov.cloud
eu-central-1.ua-sec.cloud
eu-central-2-aws.amazonsolutions.cloud
eu-central-2-aws.aws-ukraine.cloud
eu-central-2-aws.dep-no.cloud
eu-central-2-aws.gov-pl.cloud
eu-central-2-aws.gov-sk.cloud
eu-central-2-aws.mil-be.cloud
eu-central-2-aws.mil-pl.cloud
eu-central-2-aws.mindef-nl.cloud
eu-central-2-aws.msz-pl.cloud
eu-central-2-aws.mzv-sk.cloud
eu-central-2-aws.presidencia-pt.cloud
eu-central-2-aws.regeringskansliet-se.cloud
eu-central-2-aws.s3-be.cloud
eu-central-2-aws.ua-gov.cloud
eu-central-2-aws.ua-mil.cloud
eu-central-2-aws.ukrtelecom.cloud
eu-east-1-aws.amazonsolutions.cloud
eu-east-1-aws.dep-no.cloud
eu-east-1-aws.gov-sk.cloud
eu-east-1-aws.gov-ua.cloud
eu-east-1-aws.mil-be.cloud
eu-east-1-aws.mil-pl.cloud
eu-east-1-aws.minbuza.cloud
eu-east-1-aws.mindef-nl.cloud
eu-east-1-aws.msz-pl.cloud
eu-east-1-aws.mzv-sk.cloud
eu-east-1-aws.quirinale.cloud
eu-east-1-aws.regeringskansliet-se.cloud
eu-east-1-aws.s3-be.cloud
eu-east-1-aws.s3-de.cloud
eu-east-1-aws.ua-gov.cloud
eu-east-1-aws.ua-sec.cloud
eu-east-1-aws.ukrtelecom.cloud
eu-north-1-aws.dep-no.cloud
eu-north-1-aws.difesa-it.cloud
eu-north-1-aws.gov-pl.cloud
eu-north-1-aws.gov-sk.cloud
eu-north-1-aws.mil-be.cloud
eu-north-1-aws.mil-pl.cloud
eu-north-1-aws.minbuza.cloud
eu-north-1-aws.ncfta.cloud
eu-north-1-aws.presidencia-pt.cloud
eu-north-1-aws.quirinale.cloud
eu-north-1-aws.regeringskansliet-se.cloud
eu-north-1-aws.s3-be.cloud
eu-north-1-aws.s3-de.cloud
eu-north-1.difesa-it.cloud
eu-north-1.gov-trust.cloud
eu-north-1.gov-ua.cloud
eu-north-1.gv-at.cloud
eu-north-1.mil-be.cloud
eu-north-1.mil-pl.cloud
eu-north-1.mzv-sk.cloud
eu-north-1.ncfta.cloud
eu-north-1.regeringskansliet-se.cloud
eu-north-1.s3-be.cloud
eu-north-1.s3-de.cloud
eu-north-1.s3-ua.cloud
eu-south-1-aws.admin-ch.cloud
eu-south-1-aws.dep-no.cloud
eu-south-1-aws.difesa-it.cloud
eu-south-1-aws.gov-pl.cloud
eu-south-1-aws.gov-trust.cloud
eu-south-1-aws.mil-be.cloud
eu-south-1-aws.minbuza.cloud
eu-south-1-aws.mzv-sk.cloud
eu-south-1-aws.quirinale.cloud
eu-south-1-aws.s3-be.cloud
eu-south-1-aws.s3-de.cloud
eu-south-1-aws.ua-gov.cloud
eu-south-2-aws.amazonsolutions.cloud
eu-south-2-aws.dep-no.cloud
eu-south-2-aws.gov-pl.cloud
eu-south-2-aws.gov-sk.cloud
eu-south-2-aws.mil-be.cloud
eu-south-2-aws.mil-pl.cloud
eu-south-2-aws.mil-pt.cloud
eu-south-2-aws.minbuza.cloud
eu-south-2-aws.msz-pl.cloud
eu-south-2-aws.mzv-sk.cloud
eu-south-2-aws.ncfta.cloud
eu-south-2-aws.quirinale.cloud
eu-south-2-aws.regeringskansliet-se.cloud
eu-south-2-aws.s3-be.cloud
eu-south-2-aws.s3-de.cloud
eu-south-2-aws.s3-esa.cloud
eu-south-2-aws.s3-nato.cloud
eu-south-2-aws.s3-ua.cloud
eu-south-2-aws.ua-gov.cloud
eu-south-2.dep-no.cloud
eu-south-2.gov-pl.cloud
eu-south-2.gov-sk.cloud
eu-south-2.mil-be.cloud
eu-south-2.mil-pl.cloud
eu-south-2.mindef-nl.cloud
eu-south-2.s3-be.cloud
eu-south-2.s3-de.cloud
eu-south-2.s3-esa.cloud
eu-south-2.s3-nato.cloud
eu-south-2.ua-sec.cloud
eu-south-2.ukrainesec.cloud
eu-southeast-1-aws.amazonsolutions.cloud
eu-southeast-1-aws.aws-ukraine.cloud
eu-southeast-1-aws.dep-no.cloud
eu-southeast-1-aws.difesa-it.cloud
eu-southeast-1-aws.gov-sk.cloud
eu-southeast-1-aws.gov-trust.cloud
eu-southeast-1-aws.mil-be.cloud
eu-southeast-1-aws.mil-pl.cloud
eu-southeast-1-aws.mindef-nl.cloud
eu-southeast-1-aws.msz-pl.cloud
eu-southeast-1-aws.mzv-cz.cloud
eu-southeast-1-aws.mzv-sk.cloud
eu-southeast-1-aws.quirinale.cloud
eu-southeast-1-aws.s3-be.cloud
eu-southeast-1-aws.s3-de.cloud
eu-southeast-1-aws.s3-esa.cloud
eu-southeast-1-aws.s3-ua.cloud
eu-southeast-1-aws.ua-energy.cloud
eu-southeast-1-aws.ukrainesec.cloud
eu-west-1-aws.amazonsolutions.cloud
eu-west-1-aws.aws-ukraine.cloud
eu-west-1-aws.dep-no.cloud
eu-west-1-aws.gov-pl.cloud
eu-west-1-aws.gov-sk.cloud
eu-west-1-aws.gov-trust.cloud
eu-west-1-aws.gov-ua.cloud
eu-west-1-aws.mil-be.cloud
eu-west-1-aws.mil-pl.cloud
eu-west-1-aws.minbuza.cloud
eu-west-1-aws.quirinale.cloud
eu-west-1-aws.s3-be.cloud
eu-west-1-aws.s3-de.cloud
eu-west-1-aws.s3-esa.cloud
eu-west-1-aws.s3-nato.cloud
eu-west-1-aws.ua-sec.cloud
eu-west-1-aws.ukrainesec.cloud
eu-west-1.aws-ukraine.cloud
eu-west-1.difesa-it.cloud
eu-west-1.gov-sk.cloud
eu-west-1.mil-be.cloud
eu-west-1.mil-pl.cloud
eu-west-1.minbuza.cloud
eu-west-1.msz-pl.cloud
eu-west-1.mzv-sk.cloud
eu-west-1.regeringskansliet-se.cloud
eu-west-1.s3-de.cloud
eu-west-1.s3-esa.cloud
eu-west-1.s3-ua.cloud
eu-west-1.ua-gov.cloud
eu-west-1.ukrtelecom.cloud
eu-west-2-aws.amazonsolutions.cloud
eu-west-2-aws.dep-no.cloud
eu-west-2-aws.difesa-it.cloud
eu-west-2-aws.gov-pl.cloud
eu-west-2-aws.gov-sk.cloud
eu-west-2-aws.gv-at.cloud
eu-west-2-aws.mil-be.cloud
eu-west-2-aws.mil-pl.cloud
eu-west-2-aws.minbuza.cloud
eu-west-2-aws.mindef-nl.cloud
eu-west-2-aws.msz-pl.cloud
eu-west-2-aws.mzv-sk.cloud
eu-west-2-aws.quirinale.cloud
eu-west-2-aws.s3-be.cloud
eu-west-2-aws.s3-de.cloud
eu-west-2-aws.s3-esa.cloud
eu-west-2-aws.s3-nato.cloud
eu-west-2-aws.s3-ua.cloud
eu-west-2-aws.ua-sec.cloud
eu-west-3-aws.aws-ukraine.cloud
eu-west-3-aws.dep-no.cloud
eu-west-3-aws.difesa-it.cloud
eu-west-3-aws.gov-pl.cloud
eu-west-3-aws.gov-sk.cloud
eu-west-3-aws.gov-trust.cloud
eu-west-3-aws.mil-be.cloud
eu-west-3-aws.mil-pl.cloud
eu-west-3-aws.mil-pt.cloud
eu-west-3-aws.minbuza.cloud
eu-west-3-aws.mindef-nl.cloud
eu-west-3-aws.msz-pl.cloud
eu-west-3-aws.mzv-sk.cloud
eu-west-3-aws.quirinale.cloud
eu-west-3-aws.regeringskansliet-se.cloud
eu-west-3-aws.s3-be.cloud
eu-west-3-aws.s3-ua.cloud
eu-west-3-aws.ua-mil.cloud
eu-west-3.amazonsolutions.cloud
eu-west-3.aws-ukraine.cloud
eu-west-3.mil-be.cloud
eu-west-3.mil-pl.cloud
eu-west-3.minbuza.cloud
eu-west-3.mindef-nl.cloud
eu-west-3.msz-pl.cloud
eu-west-3.mzv-sk.cloud
eu-west-3.presidencia-pt.cloud
eu-west-3.s3-be.cloud
eu-west-3.s3-ua.cloud
eu-west-3.ukrainesec.cloud
eu-west-3.ukrtelecom.cloud
us-east-1-aws.s3-ua.cloud
us-east-1-aws.ua-gov.cloud
us-east-1-aws.ua-sec.cloud
us-east-2-aws.gov-ua.cloud
us-east-2-aws.ukrtelecom.cloud
us-east-2.aws-ukraine.cloud
us-east-2.gov-ua.cloud
us-east-2.ua-sec.cloud
us-east-2.ukrainesec.cloud
us-east-console.aws-ukraine.cloud
us-east-console.ua-energy.cloud
us-west-1-amazon.ua-mil.cloud
us-west-1-amazon.ua-sec.cloud
us-west-1-aws.gov-ua.cloud
us-west-1.ua-energy.cloud
us-west-1.ua-gov.cloud
us-west-2-aws.s3-ua.cloud
us-west-2-aws.ua-energy.cloud
us-west-2.gov-ua.cloud
us-west-2.ua-energy.cloud
us-west-2.ua-sec.cloud

# Reference: https://app.validin.com/detail?find=3.85.194.174&type=ip4&ref_id=2d521bb95dc#tab=resolutions

asucloud.us

# Reference: https://app.validin.com/detail?find=54.234.40.119&type=ip4&ref_id=24403506e8c#tab=resolutions

go-meeting.online

# Reference: https://x.com/blackorbird/status/1868948019854643666
# Reference: https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt

aeinc.solutions
albrightstonebridge.cloud
amazonmeeting.cloud
americanprogress.cloud
aspeninstitute.cloud
awsmeetings.online
c-r.services
capgemini.services
cepa.solutions
citoc.cloud
clari.cloud
clearancejobs.cloud
cnas.zone
cwinc.cloud
defence-au.cloud
democracyendowment.cloud
ecfr.cloud
europa-eu.cloud
exclaimer.solutions
foreignpolicy.cloud
freedomhouse.cloud
gc-cloud.ca
go-conference.cloud
go-jp.cloud
go-meet-up.com
go-meet.pro
go-meeting.cloud
googlemeet.zone
heritagecloud.org
justice.technology
mapn-ro.cloud
mod-cloud.uk
morh-hr.cloud
mvep-hr.cloud
ncsc.solutions
ndu.solutions
nrcc.cloud
opensocietyfoundations.cloud
police-gov.cloud
prio.zone
pulsesecure.cloud
rrt.solutions
rubrik.zone
s3-aws.global
s3-us.navy
saiccloud.us
shicloud.online
sipacolumbia.us
skykick.solutions
softcat.cloud
ssi-gouv-fr.cloud
trustifi.cloud
us-army.cloud
veeam.solutions
zixcorp.cloud
zoom-meeting.cloud
zoom-meeting.live
zoom-meeting.pro
zoom-meeting.today
zoom-meetings.cloud
zoommeeting.today
zoommeeting.zone

# Reference: https://x.com/ShanHolo/status/1887817002649047162
# Reference: https://app.validin.com/detail?find=185.243.99.17&type=ip4&ref_id=27436e81e5c#tab=resolutions
# Reference: https://www.virustotal.com/gui/file/1916af4debbeaa0ee688c95d2d9d25196bd5765bad5c7a9c1ed7e934e6ffb9ba/detection
# Reference: https://www.virustotal.com/gui/file/7cfb5e14c49ed3c9425ae995a2f7f260c564d552a29c5bdeb3665769e687cce5/detection

185.243.99.17:3389
ukrtelcom.com
ukrtelecom.eu

# Reference: https://research.checkpoint.com/2025/apt29-phishing-campaign/

bakenhof.com
bravecup.com
ophibre.com
silry.com
info.ophibre.com
mail.bakenhof.com
mail.bravecup.com
mail.ophibre.com
mail.silry.com
mx.ophibre.com

# Reference: https://aws.amazon.com/ru/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/

findcloudflare.com
redirectpartners.com
cloudflare.redirectpartners.com
