[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505
Résultats de l'investigation sur l'infrastructure d'attaque de TA505
AI Analysis
Technical Summary
The provided information pertains to an investigation into the attack infrastructure used by the cybercriminal group TA505, as reported by CERT-FR and sourced from CIRCL. TA505 is a well-known financially motivated threat actor group recognized for deploying large-scale spam campaigns and distributing various malware families, including banking trojans, ransomware, and remote access trojans. The report focuses on the infrastructure supporting TA505's operations rather than a specific vulnerability or exploit. The investigation likely includes analysis of command and control (C2) servers, malware distribution points, and associated network activity used by TA505 to conduct their campaigns. Although no specific affected products or versions are identified, the threat actor's infrastructure is critical in enabling their attacks, which typically target financial institutions, retail, and other sectors globally. The report is classified as medium severity, with a threat level and analysis rating of 2 (on an unspecified scale), and no known exploits or patches are associated since this is an infrastructure-focused intelligence report rather than a vulnerability disclosure. The confidence in the data is moderate, with a 50% certainty indicated. The report is based on open-source intelligence (OSINT) with good reliability and is shared under a white traffic light protocol (TLP), meaning it is intended for broad distribution. The mention of FIN11 alongside TA505 suggests possible overlaps or related activity between these financially motivated groups. Overall, this intelligence highlights the ongoing monitoring and disruption efforts against TA505's infrastructure to mitigate their cybercrime campaigns.
Potential Impact
For European organizations, the presence and activity of TA505's attack infrastructure pose a significant risk primarily through phishing campaigns, malware infections, and potential ransomware attacks. TA505's operations can lead to financial losses, data breaches, operational disruptions, and reputational damage. Given TA505's history of targeting financial services, retail, and other critical sectors, European entities in these industries are particularly at risk. The infrastructure enables widespread malware distribution, increasing the likelihood of successful compromises if defenses are not robust. Additionally, the persistent nature of TA505's campaigns means that organizations may face repeated targeting attempts. The medium severity rating reflects that while no direct vulnerability is exploited here, the threat actor's infrastructure facilitates attacks that can have high impact if successful. Disruptions to availability, confidentiality breaches of sensitive data, and integrity compromises through malware infections are all potential consequences. The lack of patches or direct exploits means mitigation focuses on detection and prevention of intrusion attempts rather than vulnerability remediation.
Mitigation Recommendations
Mitigation should focus on proactive detection and disruption of TA505-related infrastructure and attack vectors. Specific recommendations include: 1) Implement advanced email filtering and anti-phishing technologies to block TA505's spam campaigns, including sandboxing and URL reputation analysis. 2) Deploy network monitoring tools capable of detecting known TA505 C2 server communications and anomalous traffic patterns, leveraging threat intelligence feeds that include TA505 infrastructure indicators. 3) Conduct regular threat hunting exercises focusing on TA505 tactics, techniques, and procedures (TTPs), including monitoring for malware families historically associated with TA505. 4) Enforce strict endpoint protection with behavioral analysis to detect and block malware execution linked to TA505 campaigns. 5) Maintain up-to-date user awareness training emphasizing phishing recognition and reporting, tailored to the latest TA505 phishing lures. 6) Collaborate with national and European cybersecurity centers to share intelligence and participate in takedown efforts against TA505 infrastructure. 7) Apply network segmentation and least privilege principles to limit lateral movement if initial compromise occurs. 8) Regularly update and test incident response plans to ensure readiness against TA505-related incidents. These measures go beyond generic advice by focusing on intelligence-driven detection and response aligned with TA505's known operational patterns.
Affected Countries
France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- comment: Résultats de l'investigation sur l'infrastructure d'attaque de TA505
- ip: 135.181.97.81
- ip: 158.255.208.148
- ip: 158.255.208.168
- ip: 176.121.14.112
- ip: 176.121.14.132
- ip: 176.121.14.140
- ip: 176.121.14.173
- ip: 176.121.14.175
- ip: 176.121.14.183
- ip: 176.121.14.197
- ip: 176.121.14.199
- ip: 176.121.14.208
- ip: 176.121.14.226
- ip: 176.121.14.228
- ip: 176.121.14.229
- ip: 176.121.14.231
- ip: 176.121.14.232
- ip: 176.121.14.234
- ip: 176.121.14.235
- ip: 176.121.14.237
- ip: 176.121.14.238
- ip: 176.121.14.241
- ip: 176.121.14.249
- ip: 176.121.14.251
- ip: 185.17.121.188
- ip: 91.214.124.13
- ip: 91.214.124.18
- ip: 91.214.124.20
- ip: 91.214.124.22
- ip: 91.214.124.25
- ip: 91.214.124.29
- ip: 91.214.124.5
- ip: 91.214.124.53
- ip: 91.214.124.54
- ip: 91.214.124.57
- ip: 91.214.124.64
- ip: 92.38.135.217
- domain: alpha-telemetry-microsoft.com
- domain: att-download.com
- domain: auxin-box.com
- domain: backup-place.com
- domain: bak-home.com
- domain: bak0-store.com
- domain: band-switch.com
- domain: box-cdn.com
- domain: box-cnd.com
- domain: box-en-au.com
- domain: box-en.com
- domain: boxfiles-en.com
- domain: boxrcdn.com
- domain: cdn-box.com
- domain: cdn-downloads.com
- domain: cdn-onedrive-live.com
- domain: clients-share.com
- domain: clietns-download.com
- domain: cloud-store-cdn.com
- domain: clouds-cdn.com
- domain: clouds-doanload-cnd.com
- domain: clouds-share.com
- domain: corp-downloads.com
- domain: corp-storage.com
- domain: data-downloads.com
- domain: daumcdnf.com
- domain: daumcdnr.com
- domain: daumcdns.com
- domain: def-update.com
- domain: definite-limits.com
- domain: digitals-space.com
- domain: direct-share.com
- domain: direct-space.com
- domain: direct-upt.com
- domain: dl-icloud.com
- domain: dl-sharefile.com
- domain: dl-sync.com
- domain: docs-downloading.com
- domain: download-cdn.com
- domain: download-shares.com
- domain: downloads-links.com
- domain: drm-google-analtyic.com
- domain: drm-server-booking.com
- domain: drm-server13-login-microsoftonline.com
- domain: dropbox-cdnn.com
- domain: dropbox-cdns.com
- domain: dropbox-cdnt.com
- domain: dropbox-cnd.com
- domain: dropbox-download-eu.com
- domain: dropbox-download.com
- domain: dropbox-en.com
- domain: dropbox-er.com
- domain: dropbox-eu.com
- domain: dropbox-sdn.com
- domain: dropboxccdn.com
- domain: dropboxrcdn.com
- domain: dropboxscdn.com
- domain: dropboxwcdn.com
- domain: dyn-downloads.com
- domain: dysoool.com
- domain: egnytefs.com
- domain: eu-download.com
- domain: eu-global-online.com
- domain: eu-global.com
- domain: ex-downloads.com
- domain: ex-stores.com
- domain: facebook-drm-server3.com
- domain: fast-bits.com
- domain: fast-gl-backups.com
- domain: fasts-downloads.com
- domain: file-shares.com
- domain: files-downloads.com
- domain: fileshare-cdns.com
- domain: fileshare-cnd.com
- domain: fileshare-storage.com
- domain: filesharess.com
- domain: filessz.com
- domain: first-destin.com
- domain: fosdommtoi.com
- domain: general-lcfd.com
- domain: geo-st-microsoft.com
- domain: get-downloads.com
- domain: get-hlinks.com
- domain: getlink-service.com
- domain: global-downloads.com
- domain: global-logic-stl.com
- domain: glr-ltd.com
- domain: going-tr.com
- domain: google-eu-cdn.com
- domain: google-us-cdn.com
- domain: googledrive-download.com
- domain: googledrive-en.com
- domain: googledrive-eu.com
- domain: googledrive-gb.com
- domain: groms-dat.com
- domain: home-storages.com
- domain: i-sharecloud.com
- domain: int-download.com
- domain: integer-ms-home.com
- domain: into-box.com
- domain: jp-microsoft-store.com
- domain: limo-ones.com
- domain: live-en.com
- domain: live-msr.com
- domain: local-download.com
- domain: long-space.com
- domain: main-boost.com
- domain: mainten-ferrum.com
- domain: mays-ltd.com
- domain: md-downloads.com
- domain: mgrs-service.com
- domain: microsoft-cnd-en.com
- domain: microsoft-cnd.com
- domain: microsoft-debug-098.com
- domain: microsoft-home-en.com
- domain: microsoft-hub-us.com
- domain: microsoft-live-us.com
- domain: microsoft-online-en-us.com
- domain: microsoft-sback-server.com
- domain: microsoft-store-drm-server.com
- domain: microsoft-store-en.com
- domain: microsoft-ware.com
- domain: mira-store.com
- domain: mop-shere.com
- domain: ms-break.com
- domain: ms-debug-services.com
- domain: ms-downloading.com
- domain: ms-en-microsoft.com
- domain: ms-global-store.com
- domain: ms-home-live.com
- domain: ms-home-store.com
- domain: ms-pipes-service.com
- domain: ms-rdt.com
- domain: ms-upgrades.com
- domain: mslinks-downloads.com
- domain: msonebox.com
- domain: music-server11-facebook.com
- domain: music-server17-facebook.com
- domain: near-back.com
- domain: near-fast.com
- domain: nellscorp.com
- domain: nels-ltd.com
- domain: news-37876-mshome.com
- domain: news-389767-mshome.com
- domain: news-server-drm-google.com
- domain: news-server17-yahoo.com
- domain: nffsd-corp.com
- domain: none-class.com
- domain: office-en-service.com
- domain: office-teml-en.com
- domain: office365-en-gb.com
- domain: office365-eu-update.com
- domain: office365-update-en-gb.com
- domain: office365-update-en.com
- domain: office365-update-eu.com
- domain: office365-us-update.com
- domain: one-drive-ms.com
- domain: one-drive-storage.com
- domain: one-drives.com
- domain: onedrive-cdn.com
- domain: onedrive-download-en.com
- domain: onedrive-download.com
- domain: onedrive-en-eu.com
- domain: onedrive-en-live.com
- domain: onedrive-en.com
- domain: onedrive-eu.com
- domain: onedrive-fn.com
- domain: onedrive-live-en.com
- domain: onedrive-sd.com
- domain: onedrive-sdn.com
- domain: onedrive-sn.com
- domain: onedrive-us-en.com
- domain: onedrives-en-live.com
- domain: onehub-cdn.com
- domain: onehub-en.com
- domain: onesdrives.com
- domain: online-office365.com
- domain: onms-home.com
- domain: own-eu-cloud.com
- domain: owncloud-cdn.com
- domain: personal-dss.com
- domain: pssd-ltdgroup.com
- domain: rapid-stores.com
- domain: rdmsom.com
- domain: res-backup.com
- domain: reselling-corp.com
- domain: river-store.com
- domain: rmt-downloads.com
- domain: s3-ap-southeast-1-amazonaws.com
- domain: s3-ap-southeast-2-amazonaws.com
- domain: s77657453-onedrive.com
- domain: s89065339-onedrive.com
- domain: sdff-corp.com
- domain: see-back.com
- domain: selling-group.com
- domain: share-clouds.com
- domain: share-downloading.com
- domain: share-stores.com
- domain: shared-cnd.com
- domain: shared-download.com
- domain: shared-downloads.com
- domain: shared-filez.com
- domain: sharefile-cnd.com
- domain: sharefile-us.com
- domain: sharefiles-download.com
- domain: sharefiles-en.com
- domain: sharefiles-eu.com
- domain: sharefileszz.com
- domain: shares-cdns.com
- domain: shares-cloud.com
- domain: sharespoint-en.com
- domain: short-share.com
- domain: shortcut-links.com
- domain: shr-links.com
- domain: siron-del.com
- domain: sl-downloads.com
- domain: stat-downloads.com
- domain: static-downloads.com
- domain: static-google-analtyic.com
- domain: store-000846-live.com
- domain: store-003774-live.com
- domain: store-downloads.com
- domain: store-in-box.com
- domain: stt-box.com
- domain: studio-stlsdr.com
- domain: sync-share.com
- domain: syncdownload.com
- domain: syncdownloading.com
- domain: tnrff-home.com
- domain: toppon-studio.com
- domain: transff-reddon.com
- domain: tremd-space.com
- domain: update-ms-en-office365.com
- domain: update-msoffice365.com
- domain: update365-office-ens.com
- domain: upgrade-ms-home.com
- domain: url-space.com
- domain: us-microsoft-store.com
- domain: usr-telemetry-microsoft.com
- domain: west-dat.com
- domain: windows-afx-update.com
- domain: windows-appstore-en.com
- domain: windows-avs-update.com
- domain: windows-cnd-update.com
- domain: windows-dev-sec.com
- domain: windows-en-us-update.com
- domain: windows-fsd-update.com
- domain: windows-me-update.com
- domain: windows-msd-update.com
- domain: windows-office365.com
- domain: windows-se-update.com
- domain: windows-service-en.com
- domain: windows-service-us.com
- domain: windows-several-update.com
- domain: windows-sys-update.com
- domain: windows-update-02-en.com
- domain: windows-update-sdbt.com
- domain: windows-update-sdfw.com
- domain: windows-update-sys.com
- domain: windows-upgrade-en.com
- domain: windows-wsus-en.com
- domain: windows-wsus-update.com
- domain: wire-share.com
- domain: wpad-home.com
- domain: xbox-en-cnd.com
- domain: xbox-ms-store-debug.com
[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505
Description
Résultats de l'investigation sur l'infrastructure d'attaque de TA505
AI-Powered Analysis
Technical Analysis
The provided information pertains to an investigation into the attack infrastructure used by the cybercriminal group TA505, as reported by CERT-FR and sourced from CIRCL. TA505 is a well-known financially motivated threat actor group recognized for deploying large-scale spam campaigns and distributing various malware families, including banking trojans, ransomware, and remote access trojans. The report focuses on the infrastructure supporting TA505's operations rather than a specific vulnerability or exploit. The investigation likely includes analysis of command and control (C2) servers, malware distribution points, and associated network activity used by TA505 to conduct their campaigns. Although no specific affected products or versions are identified, the threat actor's infrastructure is critical in enabling their attacks, which typically target financial institutions, retail, and other sectors globally. The report is classified as medium severity, with a threat level and analysis rating of 2 (on an unspecified scale), and no known exploits or patches are associated since this is an infrastructure-focused intelligence report rather than a vulnerability disclosure. The confidence in the data is moderate, with a 50% certainty indicated. The report is based on open-source intelligence (OSINT) with good reliability and is shared under a white traffic light protocol (TLP), meaning it is intended for broad distribution. The mention of FIN11 alongside TA505 suggests possible overlaps or related activity between these financially motivated groups. Overall, this intelligence highlights the ongoing monitoring and disruption efforts against TA505's infrastructure to mitigate their cybercrime campaigns.
Potential Impact
For European organizations, the presence and activity of TA505's attack infrastructure pose a significant risk primarily through phishing campaigns, malware infections, and potential ransomware attacks. TA505's operations can lead to financial losses, data breaches, operational disruptions, and reputational damage. Given TA505's history of targeting financial services, retail, and other critical sectors, European entities in these industries are particularly at risk. The infrastructure enables widespread malware distribution, increasing the likelihood of successful compromises if defenses are not robust. Additionally, the persistent nature of TA505's campaigns means that organizations may face repeated targeting attempts. The medium severity rating reflects that while no direct vulnerability is exploited here, the threat actor's infrastructure facilitates attacks that can have high impact if successful. Disruptions to availability, confidentiality breaches of sensitive data, and integrity compromises through malware infections are all potential consequences. The lack of patches or direct exploits means mitigation focuses on detection and prevention of intrusion attempts rather than vulnerability remediation.
Mitigation Recommendations
Mitigation should focus on proactive detection and disruption of TA505-related infrastructure and attack vectors. Specific recommendations include: 1) Implement advanced email filtering and anti-phishing technologies to block TA505's spam campaigns, including sandboxing and URL reputation analysis. 2) Deploy network monitoring tools capable of detecting known TA505 C2 server communications and anomalous traffic patterns, leveraging threat intelligence feeds that include TA505 infrastructure indicators. 3) Conduct regular threat hunting exercises focusing on TA505 tactics, techniques, and procedures (TTPs), including monitoring for malware families historically associated with TA505. 4) Enforce strict endpoint protection with behavioral analysis to detect and block malware execution linked to TA505 campaigns. 5) Maintain up-to-date user awareness training emphasizing phishing recognition and reporting, tailored to the latest TA505 phishing lures. 6) Collaborate with national and European cybersecurity centers to share intelligence and participate in takedown efforts against TA505 infrastructure. 7) Apply network segmentation and least privilege principles to limit lateral movement if initial compromise occurs. 8) Regularly update and test incident response plans to ensure readiness against TA505-related incidents. These measures go beyond generic advice by focusing on intelligence-driven detection and response aligned with TA505's known operational patterns.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- 6021536f-a808-4b9c-8136-d7460aba047c
- Original Timestamp
- 1613041212
Indicators of Compromise
Comment
Value | Description | Copy |
---|---|---|
commentRésultats de l'investigation sur l'infrastructure d'attaque de TA505 | — |
Ip
Value | Description | Copy |
---|---|---|
ip135.181.97.81 | SDBbot C2 server [2020-11-29:] | |
ip158.255.208.148 | SDBbot C2 server | |
ip158.255.208.168 | SDBbot C2 server | |
ip176.121.14.112 | Metasploit C2 server potentially linked to TA505 activity [2019-07-31:2019-07-31] | |
ip176.121.14.132 | CobaltStrike C2 server potentially linked to TA505 activity [2019-07-17:2019-08-06] | |
ip176.121.14.140 | CobaltStrike C2 server potentially linked to TA505 activity [2020-09-20:2021-02-04] | |
ip176.121.14.173 | Metasploit C2 server potentially linked to TA505 activity [2019-09-23:2019-10-01] | |
ip176.121.14.175 | Metasploit C2 server linked to TA505 activity [2020-03-06:2020-12-20] | |
ip176.121.14.183 | Metasploit C2 server potentially linked to TA505 activity [2020-03-11:2020-11-13], CobaltStrike C2 server potentially linked to TA505 activity [2020-03-13:2020-11-08] | |
ip176.121.14.197 | CobaltStrike C2 server potentially linked to TA505 activity [2020-11-23:2020-11-26] | |
ip176.121.14.199 | Metasploit C2 server potentially linked to TA505 activity [2020-03-09:2020-05-16] | |
ip176.121.14.208 | Metasploit C2 server potentially linked to TA505 activity [2020-04-12:2020-09-05] | |
ip176.121.14.226 | Metasploit C2 server potentially linked to TA505 activity [2020-03-10:2020-12-22], CobaltStrike C2 server potentially linked to TA505 activity [2020-10-07:2020-10-07] | |
ip176.121.14.228 | CobaltStrike C2 server potentially linked to TA505 activity [2020-05-08:2020-05-08] | |
ip176.121.14.229 | CobaltStrike C2 server potentially linked to TA505 activity [2020-08-22:2021-01-31] | |
ip176.121.14.231 | CobaltStrike C2 server potentially linked to TA505 activity [2020-07-28:2020-08-06] | |
ip176.121.14.232 | Metasploit C2 server potentially linked to TA505 activity [2020-10-09:2021-01-15] | |
ip176.121.14.234 | Metasploit C2 server potentially linked to TA505 activity [2020-11-05:2020-11-27] | |
ip176.121.14.235 | Metasploit C2 server potentially linked to TA505 activity [2021-01-06:2021-01-14] | |
ip176.121.14.237 | CobaltStrike C2 server potentially linked to TA505 activity [2020-08-19:2020-09-10], Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-03-21] | |
ip176.121.14.238 | Metasploit C2 server linked to TA505 activity [2020-06-03:2020-12-16] | |
ip176.121.14.241 | Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-12-18] | |
ip176.121.14.249 | CobaltStrike C2 server potentially linked to TA505 activity [2020-10-06:2021-01-09] | |
ip176.121.14.251 | CobaltStrike C2 server potentially linked to TA505 activity [2020-10-25:2021-01-30] | |
ip185.17.121.188 | SDBbot C2 server | |
ip91.214.124.13 | Metasploit C2 server potentially linked to TA505 activity [2019-10-07:2020-02-01] | |
ip91.214.124.18 | Metasploit C2 server potentially linked to TA505 activity [2019-08-14:2019-10-15] | |
ip91.214.124.20 | Metasploit C2 server linked to TA505 activity [2019-09-11:2020-02-07] | |
ip91.214.124.22 | Metasploit C2 server potentially linked to TA505 activity [2019-10-04:2019-10-24] | |
ip91.214.124.25 | Metasploit C2 server linked to TA505 activity [2019-12-19:2020-02-05] | |
ip91.214.124.29 | Metasploit C2 server potentially linked to TA505 activity [2019-08-10:2019-11-03] | |
ip91.214.124.5 | Metasploit C2 server linked to TA505 activity [2019-07-31:2020-02-03] | |
ip91.214.124.53 | Metasploit C2 server potentially linked to TA505 activity [2019-09-03:2019-10-30] | |
ip91.214.124.54 | Metasploit C2 server potentially linked to TA505 activity [2019-08-04:2020-01-10] | |
ip91.214.124.57 | Metasploit C2 server potentially linked to TA505 activity [2020-01-29:2020-02-25] | |
ip91.214.124.64 | Metasploit C2 server linked to TA505 activity [2019-11-13:2020-01-15], CobaltStrike C2 server potentially linked to TA505 activity [2019-12-21:2020-01-23] | |
ip92.38.135.217 | SDBbot C2 server |
Domain
Value | Description | Copy |
---|---|---|
domainalpha-telemetry-microsoft.com | Get2 C2 server | |
domainatt-download.com | Phishing server | |
domainauxin-box.com | SDBbot C2 server | |
domainbackup-place.com | Get2 C2 server | |
domainbak-home.com | Get2 C2 server | |
domainbak0-store.com | Get2 C2 server | |
domainband-switch.com | Get2 C2 server | |
domainbox-cdn.com | Phishing server | |
domainbox-cnd.com | Phishing server | |
domainbox-en-au.com | Phishing server | |
domainbox-en.com | Phishing server | |
domainboxfiles-en.com | Phishing server | |
domainboxrcdn.com | Phishing server | |
domaincdn-box.com | Phishing server | |
domaincdn-downloads.com | Phishing server | |
domaincdn-onedrive-live.com | Phishing server | |
domainclients-share.com | Phishing server | |
domainclietns-download.com | Get2 C2 server | |
domaincloud-store-cdn.com | Phishing server | |
domainclouds-cdn.com | Phishing server | |
domainclouds-doanload-cnd.com | Phishing server | |
domainclouds-share.com | Phishing server | |
domaincorp-downloads.com | Get2 C2 server | |
domaincorp-storage.com | Get2 C2 server | |
domaindata-downloads.com | Phishing server | |
domaindaumcdnf.com | Phishing server | |
domaindaumcdnr.com | Phishing server | |
domaindaumcdns.com | Phishing server | |
domaindef-update.com | Get2 C2 server | |
domaindefinite-limits.com | Get2 C2 server | |
domaindigitals-space.com | Phishing server | |
domaindirect-share.com | Phishing server | |
domaindirect-space.com | Phishing server | |
domaindirect-upt.com | Get2 C2 server | |
domaindl-icloud.com | Phishing server | |
domaindl-sharefile.com | Phishing server | |
domaindl-sync.com | Phishing server | |
domaindocs-downloading.com | Phishing server | |
domaindownload-cdn.com | Phishing server | |
domaindownload-shares.com | Phishing server | |
domaindownloads-links.com | Phishing server | |
domaindrm-google-analtyic.com | SDBbot C2 server | |
domaindrm-server-booking.com | SDBbot C2 server | |
domaindrm-server13-login-microsoftonline.com | SDBbot C2 server | |
domaindropbox-cdnn.com | Phishing server | |
domaindropbox-cdns.com | Phishing server | |
domaindropbox-cdnt.com | Phishing server | |
domaindropbox-cnd.com | Phishing server | |
domaindropbox-download-eu.com | Phishing server | |
domaindropbox-download.com | Phishing server | |
domaindropbox-en.com | Phishing server | |
domaindropbox-er.com | Phishing server | |
domaindropbox-eu.com | Phishing server | |
domaindropbox-sdn.com | Phishing server | |
domaindropboxccdn.com | Phishing server | |
domaindropboxrcdn.com | Phishing server | |
domaindropboxscdn.com | Phishing server | |
domaindropboxwcdn.com | Phishing server | |
domaindyn-downloads.com | Phishing server | |
domaindysoool.com | Get2 C2 server | |
domainegnytefs.com | Phishing server | |
domaineu-download.com | Phishing server | |
domaineu-global-online.com | SDBbot C2 server | |
domaineu-global.com | SDBbot C2 server | |
domainex-downloads.com | Phishing server | |
domainex-stores.com | Get2 C2 server | |
domainfacebook-drm-server3.com | SDBbot C2 server | |
domainfast-bits.com | Phishing server | |
domainfast-gl-backups.com | Get2 C2 server | |
domainfasts-downloads.com | Phishing server | |
domainfile-shares.com | Phishing server | |
domainfiles-downloads.com | Phishing server | |
domainfileshare-cdns.com | Phishing server | |
domainfileshare-cnd.com | Phishing server | |
domainfileshare-storage.com | Phishing server | |
domainfilesharess.com | Phishing server | |
domainfilessz.com | Get2 C2 server | |
domainfirst-destin.com | Get2 C2 server | |
domainfosdommtoi.com | Get2 C2 server | |
domaingeneral-lcfd.com | Get2 C2 server | |
domaingeo-st-microsoft.com | Get2 C2 server | |
domainget-downloads.com | Get2 C2 server | |
domainget-hlinks.com | Get2 C2 server | |
domaingetlink-service.com | Get2 C2 server | |
domainglobal-downloads.com | Phishing server | |
domainglobal-logic-stl.com | Get2 C2 server | |
domainglr-ltd.com | Get2 C2 server | |
domaingoing-tr.com | Get2 C2 server | |
domaingoogle-eu-cdn.com | Phishing server | |
domaingoogle-us-cdn.com | Phishing server | |
domaingoogledrive-download.com | Phishing server | |
domaingoogledrive-en.com | Phishing server | |
domaingoogledrive-eu.com | Phishing server | |
domaingoogledrive-gb.com | Phishing server | |
domaingroms-dat.com | Get2 C2 server | |
domainhome-storages.com | Get2 C2 server | |
domaini-sharecloud.com | Phishing server | |
domainint-download.com | Phishing server | |
domaininteger-ms-home.com | Get2 C2 server | |
domaininto-box.com | Get2 C2 server | |
domainjp-microsoft-store.com | SDBbot C2 server | |
domainlimo-ones.com | Get2 C2 server | |
domainlive-en.com | Get2 C2 server | |
domainlive-msr.com | Phishing server | |
domainlocal-download.com | Phishing server | |
domainlong-space.com | Phishing server | |
domainmain-boost.com | Get2 C2 server | |
domainmainten-ferrum.com | Get2 C2 server | |
domainmays-ltd.com | Get2 C2 server | |
domainmd-downloads.com | Phishing server | |
domainmgrs-service.com | Get2 C2 server | |
domainmicrosoft-cnd-en.com | Get2 C2 server | |
domainmicrosoft-cnd.com | Get2 C2 server | |
domainmicrosoft-debug-098.com | Get2 C2 server | |
domainmicrosoft-home-en.com | Get2 C2 server | |
domainmicrosoft-hub-us.com | Get2 C2 server | |
domainmicrosoft-live-us.com | Get2 C2 server | |
domainmicrosoft-online-en-us.com | Get2 C2 server | |
domainmicrosoft-sback-server.com | Get2 C2 server | |
domainmicrosoft-store-drm-server.com | Get2 C2 server | |
domainmicrosoft-store-en.com | Get2 C2 server | |
domainmicrosoft-ware.com | Get2 C2 server | |
domainmira-store.com | Get2 C2 server | |
domainmop-shere.com | Phishing server | |
domainms-break.com | Get2 C2 server | |
domainms-debug-services.com | Get2 C2 server | |
domainms-downloading.com | Phishing server | |
domainms-en-microsoft.com | Get2 C2 server | |
domainms-global-store.com | Get2 C2 server | |
domainms-home-live.com | Get2 C2 server | |
domainms-home-store.com | Get2 C2 server | |
domainms-pipes-service.com | Get2 C2 server | |
domainms-rdt.com | Get2 C2 server | |
domainms-upgrades.com | Get2 C2 server | |
domainmslinks-downloads.com | Phishing server | |
domainmsonebox.com | Get2 C2 server | |
domainmusic-server11-facebook.com | SDBbot C2 server | |
domainmusic-server17-facebook.com | SDBbot C2 server | |
domainnear-back.com | Get2 C2 server | |
domainnear-fast.com | Get2 C2 server | |
domainnellscorp.com | Get2 C2 server | |
domainnels-ltd.com | Get2 C2 server | |
domainnews-37876-mshome.com | SDBbot C2 server | |
domainnews-389767-mshome.com | SDBbot C2 server | |
domainnews-server-drm-google.com | SDBbot C2 server | |
domainnews-server17-yahoo.com | SDBbot C2 server | |
domainnffsd-corp.com | Get2 C2 server | |
domainnone-class.com | Get2 C2 server | |
domainoffice-en-service.com | Get2 C2 server | |
domainoffice-teml-en.com | Get2 C2 server | |
domainoffice365-en-gb.com | Get2 C2 server | |
domainoffice365-eu-update.com | Get2 C2 server | |
domainoffice365-update-en-gb.com | Get2 C2 server | |
domainoffice365-update-en.com | Get2 C2 server | |
domainoffice365-update-eu.com | Get2 C2 server | |
domainoffice365-us-update.com | Get2 C2 server | |
domainone-drive-ms.com | Phishing server | |
domainone-drive-storage.com | Phishing server | |
domainone-drives.com | Phishing server | |
domainonedrive-cdn.com | Phishing server | |
domainonedrive-download-en.com | Phishing server | |
domainonedrive-download.com | Phishing server | |
domainonedrive-en-eu.com | Phishing server | |
domainonedrive-en-live.com | Phishing server | |
domainonedrive-en.com | Phishing server | |
domainonedrive-eu.com | Phishing server | |
domainonedrive-fn.com | Phishing server | |
domainonedrive-live-en.com | Phishing server | |
domainonedrive-sd.com | Phishing server | |
domainonedrive-sdn.com | Phishing server | |
domainonedrive-sn.com | Phishing server | |
domainonedrive-us-en.com | Phishing server | |
domainonedrives-en-live.com | Phishing server | |
domainonehub-cdn.com | Phishing server | |
domainonehub-en.com | Phishing server | |
domainonesdrives.com | Phishing server | |
domainonline-office365.com | Get2 C2 server | |
domainonms-home.com | Get2 C2 server | |
domainown-eu-cloud.com | Phishing server | |
domainowncloud-cdn.com | Phishing server | |
domainpersonal-dss.com | Get2 C2 server | |
domainpssd-ltdgroup.com | Get2 C2 server | |
domainrapid-stores.com | Get2 C2 server | |
domainrdmsom.com | Get2 C2 server | |
domainres-backup.com | Get2 C2 server | |
domainreselling-corp.com | Get2 C2 server | |
domainriver-store.com | Phishing server | |
domainrmt-downloads.com | Phishing server | |
domains3-ap-southeast-1-amazonaws.com | SDBbot C2 server | |
domains3-ap-southeast-2-amazonaws.com | SDBbot C2 server | |
domains77657453-onedrive.com | SDBbot C2 server | |
domains89065339-onedrive.com | SDBbot C2 server | |
domainsdff-corp.com | Get2 C2 server | |
domainsee-back.com | Get2 C2 server | |
domainselling-group.com | Get2 C2 server | |
domainshare-clouds.com | Phishing server | |
domainshare-downloading.com | Phishing server | |
domainshare-stores.com | Phishing server | |
domainshared-cnd.com | Phishing server | |
domainshared-download.com | Phishing server | |
domainshared-downloads.com | Phishing server | |
domainshared-filez.com | Phishing server | |
domainsharefile-cnd.com | Phishing server | |
domainsharefile-us.com | Phishing server | |
domainsharefiles-download.com | Phishing server | |
domainsharefiles-en.com | Phishing server | |
domainsharefiles-eu.com | Phishing server | |
domainsharefileszz.com | Get2 C2 server | |
domainshares-cdns.com | Phishing server | |
domainshares-cloud.com | Phishing server | |
domainsharespoint-en.com | Phishing server | |
domainshort-share.com | Phishing server | |
domainshortcut-links.com | Phishing server | |
domainshr-links.com | Get2 C2 server | |
domainsiron-del.com | Get2 C2 server | |
domainsl-downloads.com | Phishing server | |
domainstat-downloads.com | Phishing server | |
domainstatic-downloads.com | Get2 C2 server | |
domainstatic-google-analtyic.com | SDBbot C2 server | |
domainstore-000846-live.com | SDBbot C2 server | |
domainstore-003774-live.com | SDBbot C2 server | |
domainstore-downloads.com | Phishing server | |
domainstore-in-box.com | Get2 C2 server | |
domainstt-box.com | Get2 C2 server | |
domainstudio-stlsdr.com | Get2 C2 server | |
domainsync-share.com | Phishing server | |
domainsyncdownload.com | Phishing server | |
domainsyncdownloading.com | Phishing server | |
domaintnrff-home.com | Get2 C2 server | |
domaintoppon-studio.com | Get2 C2 server | |
domaintransff-reddon.com | Get2 C2 server | |
domaintremd-space.com | Phishing server | |
domainupdate-ms-en-office365.com | Get2 C2 server | |
domainupdate-msoffice365.com | Get2 C2 server | |
domainupdate365-office-ens.com | Get2 C2 server | |
domainupgrade-ms-home.com | Get2 C2 server | |
domainurl-space.com | Phishing server | |
domainus-microsoft-store.com | SDBbot C2 server | |
domainusr-telemetry-microsoft.com | Get2 C2 server | |
domainwest-dat.com | Get2 C2 server | |
domainwindows-afx-update.com | Get2 C2 server | |
domainwindows-appstore-en.com | Get2 C2 server | |
domainwindows-avs-update.com | Get2 C2 server | |
domainwindows-cnd-update.com | Phishing server | |
domainwindows-dev-sec.com | Get2 C2 server | |
domainwindows-en-us-update.com | Get2 C2 server | |
domainwindows-fsd-update.com | Get2 C2 server | |
domainwindows-me-update.com | Get2 C2 server | |
domainwindows-msd-update.com | Get2 C2 server | |
domainwindows-office365.com | Get2 C2 server | |
domainwindows-se-update.com | Get2 C2 server | |
domainwindows-service-en.com | Get2 C2 server | |
domainwindows-service-us.com | Get2 C2 server | |
domainwindows-several-update.com | Get2 C2 server | |
domainwindows-sys-update.com | Get2 C2 server | |
domainwindows-update-02-en.com | Get2 C2 server | |
domainwindows-update-sdbt.com | Get2 C2 server | |
domainwindows-update-sdfw.com | Get2 C2 server | |
domainwindows-update-sys.com | Get2 C2 server | |
domainwindows-upgrade-en.com | Get2 C2 server | |
domainwindows-wsus-en.com | Get2 C2 server | |
domainwindows-wsus-update.com | Get2 C2 server | |
domainwire-share.com | Get2 C2 server | |
domainwpad-home.com | Get2 C2 server | |
domainxbox-en-cnd.com | Get2 C2 server | |
domainxbox-ms-store-debug.com | SDBbot C2 server |
Threat ID: 682c7adce3e6de8ceb778249
Added to database: 5/20/2025, 12:51:40 PM
Last enriched: 6/19/2025, 2:20:39 PM
Last updated: 8/15/2025, 4:34:24 AM
Views: 14
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.