[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

Severity: mediumType: threat-actor

Résultats de l'investigation sur l'infrastructure d'attaque de TA505

AI Analysis

Technical Summary

The provided information pertains to an investigation into the attack infrastructure used by the cybercriminal group TA505, as reported by CERT-FR and sourced from CIRCL. TA505 is a well-known financially motivated threat actor group recognized for deploying large-scale spam campaigns and distributing various malware families, including banking trojans, ransomware, and remote access trojans. The report focuses on the infrastructure supporting TA505's operations rather than a specific vulnerability or exploit. The investigation likely includes analysis of command and control (C2) servers, malware distribution points, and associated network activity used by TA505 to conduct their campaigns. Although no specific affected products or versions are identified, the threat actor's infrastructure is critical in enabling their attacks, which typically target financial institutions, retail, and other sectors globally. The report is classified as medium severity, with a threat level and analysis rating of 2 (on an unspecified scale), and no known exploits or patches are associated since this is an infrastructure-focused intelligence report rather than a vulnerability disclosure. The confidence in the data is moderate, with a 50% certainty indicated. The report is based on open-source intelligence (OSINT) with good reliability and is shared under a white traffic light protocol (TLP), meaning it is intended for broad distribution. The mention of FIN11 alongside TA505 suggests possible overlaps or related activity between these financially motivated groups. Overall, this intelligence highlights the ongoing monitoring and disruption efforts against TA505's infrastructure to mitigate their cybercrime campaigns.

Potential Impact

For European organizations, the presence and activity of TA505's attack infrastructure pose a significant risk primarily through phishing campaigns, malware infections, and potential ransomware attacks. TA505's operations can lead to financial losses, data breaches, operational disruptions, and reputational damage. Given TA505's history of targeting financial services, retail, and other critical sectors, European entities in these industries are particularly at risk. The infrastructure enables widespread malware distribution, increasing the likelihood of successful compromises if defenses are not robust. Additionally, the persistent nature of TA505's campaigns means that organizations may face repeated targeting attempts. The medium severity rating reflects that while no direct vulnerability is exploited here, the threat actor's infrastructure facilitates attacks that can have high impact if successful. Disruptions to availability, confidentiality breaches of sensitive data, and integrity compromises through malware infections are all potential consequences. The lack of patches or direct exploits means mitigation focuses on detection and prevention of intrusion attempts rather than vulnerability remediation.

Mitigation Recommendations

Mitigation should focus on proactive detection and disruption of TA505-related infrastructure and attack vectors. Specific recommendations include: 1) Implement advanced email filtering and anti-phishing technologies to block TA505's spam campaigns, including sandboxing and URL reputation analysis. 2) Deploy network monitoring tools capable of detecting known TA505 C2 server communications and anomalous traffic patterns, leveraging threat intelligence feeds that include TA505 infrastructure indicators. 3) Conduct regular threat hunting exercises focusing on TA505 tactics, techniques, and procedures (TTPs), including monitoring for malware families historically associated with TA505. 4) Enforce strict endpoint protection with behavioral analysis to detect and block malware execution linked to TA505 campaigns. 5) Maintain up-to-date user awareness training emphasizing phishing recognition and reporting, tailored to the latest TA505 phishing lures. 6) Collaborate with national and European cybersecurity centers to share intelligence and participate in takedown efforts against TA505 infrastructure. 7) Apply network segmentation and least privilege principles to limit lateral movement if initial compromise occurs. 8) Regularly update and test incident response plans to ensure readiness against TA505-related incidents. These measures go beyond generic advice by focusing on intelligence-driven detection and response aligned with TA505's known operational patterns.

Affected Countries

France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland

Indicators of Compromise

comment: Résultats de l'investigation sur l'infrastructure d'attaque de TA505
ip: 135.181.97.81
ip: 158.255.208.148
ip: 158.255.208.168
ip: 176.121.14.112
ip: 176.121.14.132
ip: 176.121.14.140
ip: 176.121.14.173
ip: 176.121.14.175
ip: 176.121.14.183
ip: 176.121.14.197
ip: 176.121.14.199
ip: 176.121.14.208
ip: 176.121.14.226
ip: 176.121.14.228
ip: 176.121.14.229
ip: 176.121.14.231
ip: 176.121.14.232
ip: 176.121.14.234
ip: 176.121.14.235
ip: 176.121.14.237
ip: 176.121.14.238
ip: 176.121.14.241
ip: 176.121.14.249
ip: 176.121.14.251
ip: 185.17.121.188
ip: 91.214.124.13
ip: 91.214.124.18
ip: 91.214.124.20
ip: 91.214.124.22
ip: 91.214.124.25
ip: 91.214.124.29
ip: 91.214.124.5
ip: 91.214.124.53
ip: 91.214.124.54
ip: 91.214.124.57
ip: 91.214.124.64
ip: 92.38.135.217
domain: alpha-telemetry-microsoft.com
domain: att-download.com
domain: auxin-box.com
domain: backup-place.com
domain: bak-home.com
domain: bak0-store.com
domain: band-switch.com
domain: box-cdn.com
domain: box-cnd.com
domain: box-en-au.com
domain: box-en.com
domain: boxfiles-en.com
domain: boxrcdn.com
domain: cdn-box.com
domain: cdn-downloads.com
domain: cdn-onedrive-live.com
domain: clients-share.com
domain: clietns-download.com
domain: cloud-store-cdn.com
domain: clouds-cdn.com
domain: clouds-doanload-cnd.com
domain: clouds-share.com
domain: corp-downloads.com
domain: corp-storage.com
domain: data-downloads.com
domain: daumcdnf.com
domain: daumcdnr.com
domain: daumcdns.com
domain: def-update.com
domain: definite-limits.com
domain: digitals-space.com
domain: direct-share.com
domain: direct-space.com
domain: direct-upt.com
domain: dl-icloud.com
domain: dl-sharefile.com
domain: dl-sync.com
domain: docs-downloading.com
domain: download-cdn.com
domain: download-shares.com
domain: downloads-links.com
domain: drm-google-analtyic.com
domain: drm-server-booking.com
domain: drm-server13-login-microsoftonline.com
domain: dropbox-cdnn.com
domain: dropbox-cdns.com
domain: dropbox-cdnt.com
domain: dropbox-cnd.com
domain: dropbox-download-eu.com
domain: dropbox-download.com
domain: dropbox-en.com
domain: dropbox-er.com
domain: dropbox-eu.com
domain: dropbox-sdn.com
domain: dropboxccdn.com
domain: dropboxrcdn.com
domain: dropboxscdn.com
domain: dropboxwcdn.com
domain: dyn-downloads.com
domain: dysoool.com
domain: egnytefs.com
domain: eu-download.com
domain: eu-global-online.com
domain: eu-global.com
domain: ex-downloads.com
domain: ex-stores.com
domain: facebook-drm-server3.com
domain: fast-bits.com
domain: fast-gl-backups.com
domain: fasts-downloads.com
domain: file-shares.com
domain: files-downloads.com
domain: fileshare-cdns.com
domain: fileshare-cnd.com
domain: fileshare-storage.com
domain: filesharess.com
domain: filessz.com
domain: first-destin.com
domain: fosdommtoi.com
domain: general-lcfd.com
domain: geo-st-microsoft.com
domain: get-downloads.com
domain: get-hlinks.com
domain: getlink-service.com
domain: global-downloads.com
domain: global-logic-stl.com
domain: glr-ltd.com
domain: going-tr.com
domain: google-eu-cdn.com
domain: google-us-cdn.com
domain: googledrive-download.com
domain: googledrive-en.com
domain: googledrive-eu.com
domain: googledrive-gb.com
domain: groms-dat.com
domain: home-storages.com
domain: i-sharecloud.com
domain: int-download.com
domain: integer-ms-home.com
domain: into-box.com
domain: jp-microsoft-store.com
domain: limo-ones.com
domain: live-en.com
domain: live-msr.com
domain: local-download.com
domain: long-space.com
domain: main-boost.com
domain: mainten-ferrum.com
domain: mays-ltd.com
domain: md-downloads.com
domain: mgrs-service.com
domain: microsoft-cnd-en.com
domain: microsoft-cnd.com
domain: microsoft-debug-098.com
domain: microsoft-home-en.com
domain: microsoft-hub-us.com
domain: microsoft-live-us.com
domain: microsoft-online-en-us.com
domain: microsoft-sback-server.com
domain: microsoft-store-drm-server.com
domain: microsoft-store-en.com
domain: microsoft-ware.com
domain: mira-store.com
domain: mop-shere.com
domain: ms-break.com
domain: ms-debug-services.com
domain: ms-downloading.com
domain: ms-en-microsoft.com
domain: ms-global-store.com
domain: ms-home-live.com
domain: ms-home-store.com
domain: ms-pipes-service.com
domain: ms-rdt.com
domain: ms-upgrades.com
domain: mslinks-downloads.com
domain: msonebox.com
domain: music-server11-facebook.com
domain: music-server17-facebook.com
domain: near-back.com
domain: near-fast.com
domain: nellscorp.com
domain: nels-ltd.com
domain: news-37876-mshome.com
domain: news-389767-mshome.com
domain: news-server-drm-google.com
domain: news-server17-yahoo.com
domain: nffsd-corp.com
domain: none-class.com
domain: office-en-service.com
domain: office-teml-en.com
domain: office365-en-gb.com
domain: office365-eu-update.com
domain: office365-update-en-gb.com
domain: office365-update-en.com
domain: office365-update-eu.com
domain: office365-us-update.com
domain: one-drive-ms.com
domain: one-drive-storage.com
domain: one-drives.com
domain: onedrive-cdn.com
domain: onedrive-download-en.com
domain: onedrive-download.com
domain: onedrive-en-eu.com
domain: onedrive-en-live.com
domain: onedrive-en.com
domain: onedrive-eu.com
domain: onedrive-fn.com
domain: onedrive-live-en.com
domain: onedrive-sd.com
domain: onedrive-sdn.com
domain: onedrive-sn.com
domain: onedrive-us-en.com
domain: onedrives-en-live.com
domain: onehub-cdn.com
domain: onehub-en.com
domain: onesdrives.com
domain: online-office365.com
domain: onms-home.com
domain: own-eu-cloud.com
domain: owncloud-cdn.com
domain: personal-dss.com
domain: pssd-ltdgroup.com
domain: rapid-stores.com
domain: rdmsom.com
domain: res-backup.com
domain: reselling-corp.com
domain: river-store.com
domain: rmt-downloads.com
domain: s3-ap-southeast-1-amazonaws.com
domain: s3-ap-southeast-2-amazonaws.com
domain: s77657453-onedrive.com
domain: s89065339-onedrive.com
domain: sdff-corp.com
domain: see-back.com
domain: selling-group.com
domain: share-clouds.com
domain: share-downloading.com
domain: share-stores.com
domain: shared-cnd.com
domain: shared-download.com
domain: shared-downloads.com
domain: shared-filez.com
domain: sharefile-cnd.com
domain: sharefile-us.com
domain: sharefiles-download.com
domain: sharefiles-en.com
domain: sharefiles-eu.com
domain: sharefileszz.com
domain: shares-cdns.com
domain: shares-cloud.com
domain: sharespoint-en.com
domain: short-share.com
domain: shortcut-links.com
domain: shr-links.com
domain: siron-del.com
domain: sl-downloads.com
domain: stat-downloads.com
domain: static-downloads.com
domain: static-google-analtyic.com
domain: store-000846-live.com
domain: store-003774-live.com
domain: store-downloads.com
domain: store-in-box.com
domain: stt-box.com
domain: studio-stlsdr.com
domain: sync-share.com
domain: syncdownload.com
domain: syncdownloading.com
domain: tnrff-home.com
domain: toppon-studio.com
domain: transff-reddon.com
domain: tremd-space.com
domain: update-ms-en-office365.com
domain: update-msoffice365.com
domain: update365-office-ens.com
domain: upgrade-ms-home.com
domain: url-space.com
domain: us-microsoft-store.com
domain: usr-telemetry-microsoft.com
domain: west-dat.com
domain: windows-afx-update.com
domain: windows-appstore-en.com
domain: windows-avs-update.com
domain: windows-cnd-update.com
domain: windows-dev-sec.com
domain: windows-en-us-update.com
domain: windows-fsd-update.com
domain: windows-me-update.com
domain: windows-msd-update.com
domain: windows-office365.com
domain: windows-se-update.com
domain: windows-service-en.com
domain: windows-service-us.com
domain: windows-several-update.com
domain: windows-sys-update.com
domain: windows-update-02-en.com
domain: windows-update-sdbt.com
domain: windows-update-sdfw.com
domain: windows-update-sys.com
domain: windows-upgrade-en.com
domain: windows-wsus-en.com
domain: windows-wsus-update.com
domain: wire-share.com
domain: wpad-home.com
domain: xbox-en-cnd.com
domain: xbox-ms-store-debug.com

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

Severity: medium

Type: threat-actor

Résultats de l'investigation sur l'infrastructure d'attaque de TA505

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland

Indicators of Compromise

comment: Résultats de l'investigation sur l'infrastructure d'attaque de TA505
ip: 135.181.97.81
ip: 158.255.208.148
ip: 158.255.208.168
ip: 176.121.14.112
ip: 176.121.14.132
ip: 176.121.14.140
ip: 176.121.14.173
ip: 176.121.14.175
ip: 176.121.14.183
ip: 176.121.14.197
ip: 176.121.14.199
ip: 176.121.14.208
ip: 176.121.14.226
ip: 176.121.14.228
ip: 176.121.14.229
ip: 176.121.14.231
ip: 176.121.14.232
ip: 176.121.14.234
ip: 176.121.14.235
ip: 176.121.14.237
ip: 176.121.14.238
ip: 176.121.14.241
ip: 176.121.14.249
ip: 176.121.14.251
ip: 185.17.121.188
ip: 91.214.124.13
ip: 91.214.124.18
ip: 91.214.124.20
ip: 91.214.124.22
ip: 91.214.124.25
ip: 91.214.124.29
ip: 91.214.124.5
ip: 91.214.124.53
ip: 91.214.124.54
ip: 91.214.124.57
ip: 91.214.124.64
ip: 92.38.135.217
domain: alpha-telemetry-microsoft.com
domain: att-download.com
domain: auxin-box.com
domain: backup-place.com
domain: bak-home.com
domain: bak0-store.com
domain: band-switch.com
domain: box-cdn.com
domain: box-cnd.com
domain: box-en-au.com
domain: box-en.com
domain: boxfiles-en.com
domain: boxrcdn.com
domain: cdn-box.com
domain: cdn-downloads.com
domain: cdn-onedrive-live.com
domain: clients-share.com
domain: clietns-download.com
domain: cloud-store-cdn.com
domain: clouds-cdn.com
domain: clouds-doanload-cnd.com
domain: clouds-share.com
domain: corp-downloads.com
domain: corp-storage.com
domain: data-downloads.com
domain: daumcdnf.com
domain: daumcdnr.com
domain: daumcdns.com
domain: def-update.com
domain: definite-limits.com
domain: digitals-space.com
domain: direct-share.com
domain: direct-space.com
domain: direct-upt.com
domain: dl-icloud.com
domain: dl-sharefile.com
domain: dl-sync.com
domain: docs-downloading.com
domain: download-cdn.com
domain: download-shares.com
domain: downloads-links.com
domain: drm-google-analtyic.com
domain: drm-server-booking.com
domain: drm-server13-login-microsoftonline.com
domain: dropbox-cdnn.com
domain: dropbox-cdns.com
domain: dropbox-cdnt.com
domain: dropbox-cnd.com
domain: dropbox-download-eu.com
domain: dropbox-download.com
domain: dropbox-en.com
domain: dropbox-er.com
domain: dropbox-eu.com
domain: dropbox-sdn.com
domain: dropboxccdn.com
domain: dropboxrcdn.com
domain: dropboxscdn.com
domain: dropboxwcdn.com
domain: dyn-downloads.com
domain: dysoool.com
domain: egnytefs.com
domain: eu-download.com
domain: eu-global-online.com
domain: eu-global.com
domain: ex-downloads.com
domain: ex-stores.com
domain: facebook-drm-server3.com
domain: fast-bits.com
domain: fast-gl-backups.com
domain: fasts-downloads.com
domain: file-shares.com
domain: files-downloads.com
domain: fileshare-cdns.com
domain: fileshare-cnd.com
domain: fileshare-storage.com
domain: filesharess.com
domain: filessz.com
domain: first-destin.com
domain: fosdommtoi.com
domain: general-lcfd.com
domain: geo-st-microsoft.com
domain: get-downloads.com
domain: get-hlinks.com
domain: getlink-service.com
domain: global-downloads.com
domain: global-logic-stl.com
domain: glr-ltd.com
domain: going-tr.com
domain: google-eu-cdn.com
domain: google-us-cdn.com
domain: googledrive-download.com
domain: googledrive-en.com
domain: googledrive-eu.com
domain: googledrive-gb.com
domain: groms-dat.com
domain: home-storages.com
domain: i-sharecloud.com
domain: int-download.com
domain: integer-ms-home.com
domain: into-box.com
domain: jp-microsoft-store.com
domain: limo-ones.com
domain: live-en.com
domain: live-msr.com
domain: local-download.com
domain: long-space.com
domain: main-boost.com
domain: mainten-ferrum.com
domain: mays-ltd.com
domain: md-downloads.com
domain: mgrs-service.com
domain: microsoft-cnd-en.com
domain: microsoft-cnd.com
domain: microsoft-debug-098.com
domain: microsoft-home-en.com
domain: microsoft-hub-us.com
domain: microsoft-live-us.com
domain: microsoft-online-en-us.com
domain: microsoft-sback-server.com
domain: microsoft-store-drm-server.com
domain: microsoft-store-en.com
domain: microsoft-ware.com
domain: mira-store.com
domain: mop-shere.com
domain: ms-break.com
domain: ms-debug-services.com
domain: ms-downloading.com
domain: ms-en-microsoft.com
domain: ms-global-store.com
domain: ms-home-live.com
domain: ms-home-store.com
domain: ms-pipes-service.com
domain: ms-rdt.com
domain: ms-upgrades.com
domain: mslinks-downloads.com
domain: msonebox.com
domain: music-server11-facebook.com
domain: music-server17-facebook.com
domain: near-back.com
domain: near-fast.com
domain: nellscorp.com
domain: nels-ltd.com
domain: news-37876-mshome.com
domain: news-389767-mshome.com
domain: news-server-drm-google.com
domain: news-server17-yahoo.com
domain: nffsd-corp.com
domain: none-class.com
domain: office-en-service.com
domain: office-teml-en.com
domain: office365-en-gb.com
domain: office365-eu-update.com
domain: office365-update-en-gb.com
domain: office365-update-en.com
domain: office365-update-eu.com
domain: office365-us-update.com
domain: one-drive-ms.com
domain: one-drive-storage.com
domain: one-drives.com
domain: onedrive-cdn.com
domain: onedrive-download-en.com
domain: onedrive-download.com
domain: onedrive-en-eu.com
domain: onedrive-en-live.com
domain: onedrive-en.com
domain: onedrive-eu.com
domain: onedrive-fn.com
domain: onedrive-live-en.com
domain: onedrive-sd.com
domain: onedrive-sdn.com
domain: onedrive-sn.com
domain: onedrive-us-en.com
domain: onedrives-en-live.com
domain: onehub-cdn.com
domain: onehub-en.com
domain: onesdrives.com
domain: online-office365.com
domain: onms-home.com
domain: own-eu-cloud.com
domain: owncloud-cdn.com
domain: personal-dss.com
domain: pssd-ltdgroup.com
domain: rapid-stores.com
domain: rdmsom.com
domain: res-backup.com
domain: reselling-corp.com
domain: river-store.com
domain: rmt-downloads.com
domain: s3-ap-southeast-1-amazonaws.com
domain: s3-ap-southeast-2-amazonaws.com
domain: s77657453-onedrive.com
domain: s89065339-onedrive.com
domain: sdff-corp.com
domain: see-back.com
domain: selling-group.com
domain: share-clouds.com
domain: share-downloading.com
domain: share-stores.com
domain: shared-cnd.com
domain: shared-download.com
domain: shared-downloads.com
domain: shared-filez.com
domain: sharefile-cnd.com
domain: sharefile-us.com
domain: sharefiles-download.com
domain: sharefiles-en.com
domain: sharefiles-eu.com
domain: sharefileszz.com
domain: shares-cdns.com
domain: shares-cloud.com
domain: sharespoint-en.com
domain: short-share.com
domain: shortcut-links.com
domain: shr-links.com
domain: siron-del.com
domain: sl-downloads.com
domain: stat-downloads.com
domain: static-downloads.com
domain: static-google-analtyic.com
domain: store-000846-live.com
domain: store-003774-live.com
domain: store-downloads.com
domain: store-in-box.com
domain: stt-box.com
domain: studio-stlsdr.com
domain: sync-share.com
domain: syncdownload.com
domain: syncdownloading.com
domain: tnrff-home.com
domain: toppon-studio.com
domain: transff-reddon.com
domain: tremd-space.com
domain: update-ms-en-office365.com
domain: update-msoffice365.com
domain: update365-office-ens.com
domain: upgrade-ms-home.com
domain: url-space.com
domain: us-microsoft-store.com
domain: usr-telemetry-microsoft.com
domain: west-dat.com
domain: windows-afx-update.com
domain: windows-appstore-en.com
domain: windows-avs-update.com
domain: windows-cnd-update.com
domain: windows-dev-sec.com
domain: windows-en-us-update.com
domain: windows-fsd-update.com
domain: windows-me-update.com
domain: windows-msd-update.com
domain: windows-office365.com
domain: windows-se-update.com
domain: windows-service-en.com
domain: windows-service-us.com
domain: windows-several-update.com
domain: windows-sys-update.com
domain: windows-update-02-en.com
domain: windows-update-sdbt.com
domain: windows-update-sdfw.com
domain: windows-update-sys.com
domain: windows-upgrade-en.com
domain: windows-wsus-en.com
domain: windows-wsus-update.com
domain: wire-share.com
domain: wpad-home.com
domain: xbox-en-cnd.com
domain: xbox-ms-store-debug.com

Source: CIRCL

Published: Mon Feb 08 2021

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

Medium

Threat Actorfr-classif:non-classifiees="non-classifiees"cossi:tlp="white"cossi:recherchesourceouverte="autorisee"cossi:fiabilite="bonne"misp-galaxy:threat-actor="fin11"misp-galaxy:threat-actor="ta505"type:osint osint:lifetime="perpetual"osint:certainty="50"tlp:white

Published: Mon Feb 08 2021 (02/08/2021, 00:00:00 UTC)

Source: CIRCL

Vendor/Project: fr-classif

Product: non-classifiees

Description

Résultats de l'investigation sur l'infrastructure d'attaque de TA505

AI-Powered Analysis

AILast updated: 06/19/2025, 14:20:39 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Threat Level: 2
Analysis: 2
Uuid: 6021536f-a808-4b9c-8136-d7460aba047c
Original Timestamp: 1613041212

Indicators of Compromise

Comment

Value	Description	Copy
commentRésultats de l'investigation sur l'infrastructure d'attaque de TA505	—

Ip

Value	Description	Copy
ip135.181.97.81	SDBbot C2 server [2020-11-29:]
ip158.255.208.148	SDBbot C2 server
ip158.255.208.168	SDBbot C2 server
ip176.121.14.112	Metasploit C2 server potentially linked to TA505 activity [2019-07-31:2019-07-31]
ip176.121.14.132	CobaltStrike C2 server potentially linked to TA505 activity [2019-07-17:2019-08-06]
ip176.121.14.140	CobaltStrike C2 server potentially linked to TA505 activity [2020-09-20:2021-02-04]
ip176.121.14.173	Metasploit C2 server potentially linked to TA505 activity [2019-09-23:2019-10-01]
ip176.121.14.175	Metasploit C2 server linked to TA505 activity [2020-03-06:2020-12-20]
ip176.121.14.183	Metasploit C2 server potentially linked to TA505 activity [2020-03-11:2020-11-13], CobaltStrike C2 server potentially linked to TA505 activity [2020-03-13:2020-11-08]
ip176.121.14.197	CobaltStrike C2 server potentially linked to TA505 activity [2020-11-23:2020-11-26]
ip176.121.14.199	Metasploit C2 server potentially linked to TA505 activity [2020-03-09:2020-05-16]
ip176.121.14.208	Metasploit C2 server potentially linked to TA505 activity [2020-04-12:2020-09-05]
ip176.121.14.226	Metasploit C2 server potentially linked to TA505 activity [2020-03-10:2020-12-22], CobaltStrike C2 server potentially linked to TA505 activity [2020-10-07:2020-10-07]
ip176.121.14.228	CobaltStrike C2 server potentially linked to TA505 activity [2020-05-08:2020-05-08]
ip176.121.14.229	CobaltStrike C2 server potentially linked to TA505 activity [2020-08-22:2021-01-31]
ip176.121.14.231	CobaltStrike C2 server potentially linked to TA505 activity [2020-07-28:2020-08-06]
ip176.121.14.232	Metasploit C2 server potentially linked to TA505 activity [2020-10-09:2021-01-15]
ip176.121.14.234	Metasploit C2 server potentially linked to TA505 activity [2020-11-05:2020-11-27]
ip176.121.14.235	Metasploit C2 server potentially linked to TA505 activity [2021-01-06:2021-01-14]
ip176.121.14.237	CobaltStrike C2 server potentially linked to TA505 activity [2020-08-19:2020-09-10], Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-03-21]
ip176.121.14.238	Metasploit C2 server linked to TA505 activity [2020-06-03:2020-12-16]
ip176.121.14.241	Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-12-18]
ip176.121.14.249	CobaltStrike C2 server potentially linked to TA505 activity [2020-10-06:2021-01-09]
ip176.121.14.251	CobaltStrike C2 server potentially linked to TA505 activity [2020-10-25:2021-01-30]
ip185.17.121.188	SDBbot C2 server
ip91.214.124.13	Metasploit C2 server potentially linked to TA505 activity [2019-10-07:2020-02-01]
ip91.214.124.18	Metasploit C2 server potentially linked to TA505 activity [2019-08-14:2019-10-15]
ip91.214.124.20	Metasploit C2 server linked to TA505 activity [2019-09-11:2020-02-07]
ip91.214.124.22	Metasploit C2 server potentially linked to TA505 activity [2019-10-04:2019-10-24]
ip91.214.124.25	Metasploit C2 server linked to TA505 activity [2019-12-19:2020-02-05]
ip91.214.124.29	Metasploit C2 server potentially linked to TA505 activity [2019-08-10:2019-11-03]
ip91.214.124.5	Metasploit C2 server linked to TA505 activity [2019-07-31:2020-02-03]
ip91.214.124.53	Metasploit C2 server potentially linked to TA505 activity [2019-09-03:2019-10-30]
ip91.214.124.54	Metasploit C2 server potentially linked to TA505 activity [2019-08-04:2020-01-10]
ip91.214.124.57	Metasploit C2 server potentially linked to TA505 activity [2020-01-29:2020-02-25]
ip91.214.124.64	Metasploit C2 server linked to TA505 activity [2019-11-13:2020-01-15], CobaltStrike C2 server potentially linked to TA505 activity [2019-12-21:2020-01-23]
ip92.38.135.217	SDBbot C2 server

Domain

Value	Description	Copy
domainalpha-telemetry-microsoft.com	Get2 C2 server
domainatt-download.com	Phishing server
domainauxin-box.com	SDBbot C2 server
domainbackup-place.com	Get2 C2 server
domainbak-home.com	Get2 C2 server
domainbak0-store.com	Get2 C2 server
domainband-switch.com	Get2 C2 server
domainbox-cdn.com	Phishing server
domainbox-cnd.com	Phishing server
domainbox-en-au.com	Phishing server
domainbox-en.com	Phishing server
domainboxfiles-en.com	Phishing server
domainboxrcdn.com	Phishing server
domaincdn-box.com	Phishing server
domaincdn-downloads.com	Phishing server
domaincdn-onedrive-live.com	Phishing server
domainclients-share.com	Phishing server
domainclietns-download.com	Get2 C2 server
domaincloud-store-cdn.com	Phishing server
domainclouds-cdn.com	Phishing server
domainclouds-doanload-cnd.com	Phishing server
domainclouds-share.com	Phishing server
domaincorp-downloads.com	Get2 C2 server
domaincorp-storage.com	Get2 C2 server
domaindata-downloads.com	Phishing server
domaindaumcdnf.com	Phishing server
domaindaumcdnr.com	Phishing server
domaindaumcdns.com	Phishing server
domaindef-update.com	Get2 C2 server
domaindefinite-limits.com	Get2 C2 server
domaindigitals-space.com	Phishing server
domaindirect-share.com	Phishing server
domaindirect-space.com	Phishing server
domaindirect-upt.com	Get2 C2 server
domaindl-icloud.com	Phishing server
domaindl-sharefile.com	Phishing server
domaindl-sync.com	Phishing server
domaindocs-downloading.com	Phishing server
domaindownload-cdn.com	Phishing server
domaindownload-shares.com	Phishing server
domaindownloads-links.com	Phishing server
domaindrm-google-analtyic.com	SDBbot C2 server
domaindrm-server-booking.com	SDBbot C2 server
domaindrm-server13-login-microsoftonline.com	SDBbot C2 server
domaindropbox-cdnn.com	Phishing server
domaindropbox-cdns.com	Phishing server
domaindropbox-cdnt.com	Phishing server
domaindropbox-cnd.com	Phishing server
domaindropbox-download-eu.com	Phishing server
domaindropbox-download.com	Phishing server
domaindropbox-en.com	Phishing server
domaindropbox-er.com	Phishing server
domaindropbox-eu.com	Phishing server
domaindropbox-sdn.com	Phishing server
domaindropboxccdn.com	Phishing server
domaindropboxrcdn.com	Phishing server
domaindropboxscdn.com	Phishing server
domaindropboxwcdn.com	Phishing server
domaindyn-downloads.com	Phishing server
domaindysoool.com	Get2 C2 server
domainegnytefs.com	Phishing server
domaineu-download.com	Phishing server
domaineu-global-online.com	SDBbot C2 server
domaineu-global.com	SDBbot C2 server
domainex-downloads.com	Phishing server
domainex-stores.com	Get2 C2 server
domainfacebook-drm-server3.com	SDBbot C2 server
domainfast-bits.com	Phishing server
domainfast-gl-backups.com	Get2 C2 server
domainfasts-downloads.com	Phishing server
domainfile-shares.com	Phishing server
domainfiles-downloads.com	Phishing server
domainfileshare-cdns.com	Phishing server
domainfileshare-cnd.com	Phishing server
domainfileshare-storage.com	Phishing server
domainfilesharess.com	Phishing server
domainfilessz.com	Get2 C2 server
domainfirst-destin.com	Get2 C2 server
domainfosdommtoi.com	Get2 C2 server
domaingeneral-lcfd.com	Get2 C2 server
domaingeo-st-microsoft.com	Get2 C2 server
domainget-downloads.com	Get2 C2 server
domainget-hlinks.com	Get2 C2 server
domaingetlink-service.com	Get2 C2 server
domainglobal-downloads.com	Phishing server
domainglobal-logic-stl.com	Get2 C2 server
domainglr-ltd.com	Get2 C2 server
domaingoing-tr.com	Get2 C2 server
domaingoogle-eu-cdn.com	Phishing server
domaingoogle-us-cdn.com	Phishing server
domaingoogledrive-download.com	Phishing server
domaingoogledrive-en.com	Phishing server
domaingoogledrive-eu.com	Phishing server
domaingoogledrive-gb.com	Phishing server
domaingroms-dat.com	Get2 C2 server
domainhome-storages.com	Get2 C2 server
domaini-sharecloud.com	Phishing server
domainint-download.com	Phishing server
domaininteger-ms-home.com	Get2 C2 server
domaininto-box.com	Get2 C2 server
domainjp-microsoft-store.com	SDBbot C2 server
domainlimo-ones.com	Get2 C2 server
domainlive-en.com	Get2 C2 server
domainlive-msr.com	Phishing server
domainlocal-download.com	Phishing server
domainlong-space.com	Phishing server
domainmain-boost.com	Get2 C2 server
domainmainten-ferrum.com	Get2 C2 server
domainmays-ltd.com	Get2 C2 server
domainmd-downloads.com	Phishing server
domainmgrs-service.com	Get2 C2 server
domainmicrosoft-cnd-en.com	Get2 C2 server
domainmicrosoft-cnd.com	Get2 C2 server
domainmicrosoft-debug-098.com	Get2 C2 server
domainmicrosoft-home-en.com	Get2 C2 server
domainmicrosoft-hub-us.com	Get2 C2 server
domainmicrosoft-live-us.com	Get2 C2 server
domainmicrosoft-online-en-us.com	Get2 C2 server
domainmicrosoft-sback-server.com	Get2 C2 server
domainmicrosoft-store-drm-server.com	Get2 C2 server
domainmicrosoft-store-en.com	Get2 C2 server
domainmicrosoft-ware.com	Get2 C2 server
domainmira-store.com	Get2 C2 server
domainmop-shere.com	Phishing server
domainms-break.com	Get2 C2 server
domainms-debug-services.com	Get2 C2 server
domainms-downloading.com	Phishing server
domainms-en-microsoft.com	Get2 C2 server
domainms-global-store.com	Get2 C2 server
domainms-home-live.com	Get2 C2 server
domainms-home-store.com	Get2 C2 server
domainms-pipes-service.com	Get2 C2 server
domainms-rdt.com	Get2 C2 server
domainms-upgrades.com	Get2 C2 server
domainmslinks-downloads.com	Phishing server
domainmsonebox.com	Get2 C2 server
domainmusic-server11-facebook.com	SDBbot C2 server
domainmusic-server17-facebook.com	SDBbot C2 server
domainnear-back.com	Get2 C2 server
domainnear-fast.com	Get2 C2 server
domainnellscorp.com	Get2 C2 server
domainnels-ltd.com	Get2 C2 server
domainnews-37876-mshome.com	SDBbot C2 server
domainnews-389767-mshome.com	SDBbot C2 server
domainnews-server-drm-google.com	SDBbot C2 server
domainnews-server17-yahoo.com	SDBbot C2 server
domainnffsd-corp.com	Get2 C2 server
domainnone-class.com	Get2 C2 server
domainoffice-en-service.com	Get2 C2 server
domainoffice-teml-en.com	Get2 C2 server
domainoffice365-en-gb.com	Get2 C2 server
domainoffice365-eu-update.com	Get2 C2 server
domainoffice365-update-en-gb.com	Get2 C2 server
domainoffice365-update-en.com	Get2 C2 server
domainoffice365-update-eu.com	Get2 C2 server
domainoffice365-us-update.com	Get2 C2 server
domainone-drive-ms.com	Phishing server
domainone-drive-storage.com	Phishing server
domainone-drives.com	Phishing server
domainonedrive-cdn.com	Phishing server
domainonedrive-download-en.com	Phishing server
domainonedrive-download.com	Phishing server
domainonedrive-en-eu.com	Phishing server
domainonedrive-en-live.com	Phishing server
domainonedrive-en.com	Phishing server
domainonedrive-eu.com	Phishing server
domainonedrive-fn.com	Phishing server
domainonedrive-live-en.com	Phishing server
domainonedrive-sd.com	Phishing server
domainonedrive-sdn.com	Phishing server
domainonedrive-sn.com	Phishing server
domainonedrive-us-en.com	Phishing server
domainonedrives-en-live.com	Phishing server
domainonehub-cdn.com	Phishing server
domainonehub-en.com	Phishing server
domainonesdrives.com	Phishing server
domainonline-office365.com	Get2 C2 server
domainonms-home.com	Get2 C2 server
domainown-eu-cloud.com	Phishing server
domainowncloud-cdn.com	Phishing server
domainpersonal-dss.com	Get2 C2 server
domainpssd-ltdgroup.com	Get2 C2 server
domainrapid-stores.com	Get2 C2 server
domainrdmsom.com	Get2 C2 server
domainres-backup.com	Get2 C2 server
domainreselling-corp.com	Get2 C2 server
domainriver-store.com	Phishing server
domainrmt-downloads.com	Phishing server
domains3-ap-southeast-1-amazonaws.com	SDBbot C2 server
domains3-ap-southeast-2-amazonaws.com	SDBbot C2 server
domains77657453-onedrive.com	SDBbot C2 server
domains89065339-onedrive.com	SDBbot C2 server
domainsdff-corp.com	Get2 C2 server
domainsee-back.com	Get2 C2 server
domainselling-group.com	Get2 C2 server
domainshare-clouds.com	Phishing server
domainshare-downloading.com	Phishing server
domainshare-stores.com	Phishing server
domainshared-cnd.com	Phishing server
domainshared-download.com	Phishing server
domainshared-downloads.com	Phishing server
domainshared-filez.com	Phishing server
domainsharefile-cnd.com	Phishing server
domainsharefile-us.com	Phishing server
domainsharefiles-download.com	Phishing server
domainsharefiles-en.com	Phishing server
domainsharefiles-eu.com	Phishing server
domainsharefileszz.com	Get2 C2 server
domainshares-cdns.com	Phishing server
domainshares-cloud.com	Phishing server
domainsharespoint-en.com	Phishing server
domainshort-share.com	Phishing server
domainshortcut-links.com	Phishing server
domainshr-links.com	Get2 C2 server
domainsiron-del.com	Get2 C2 server
domainsl-downloads.com	Phishing server
domainstat-downloads.com	Phishing server
domainstatic-downloads.com	Get2 C2 server
domainstatic-google-analtyic.com	SDBbot C2 server
domainstore-000846-live.com	SDBbot C2 server
domainstore-003774-live.com	SDBbot C2 server
domainstore-downloads.com	Phishing server
domainstore-in-box.com	Get2 C2 server
domainstt-box.com	Get2 C2 server
domainstudio-stlsdr.com	Get2 C2 server
domainsync-share.com	Phishing server
domainsyncdownload.com	Phishing server
domainsyncdownloading.com	Phishing server
domaintnrff-home.com	Get2 C2 server
domaintoppon-studio.com	Get2 C2 server
domaintransff-reddon.com	Get2 C2 server
domaintremd-space.com	Phishing server
domainupdate-ms-en-office365.com	Get2 C2 server
domainupdate-msoffice365.com	Get2 C2 server
domainupdate365-office-ens.com	Get2 C2 server
domainupgrade-ms-home.com	Get2 C2 server
domainurl-space.com	Phishing server
domainus-microsoft-store.com	SDBbot C2 server
domainusr-telemetry-microsoft.com	Get2 C2 server
domainwest-dat.com	Get2 C2 server
domainwindows-afx-update.com	Get2 C2 server
domainwindows-appstore-en.com	Get2 C2 server
domainwindows-avs-update.com	Get2 C2 server
domainwindows-cnd-update.com	Phishing server
domainwindows-dev-sec.com	Get2 C2 server
domainwindows-en-us-update.com	Get2 C2 server
domainwindows-fsd-update.com	Get2 C2 server
domainwindows-me-update.com	Get2 C2 server
domainwindows-msd-update.com	Get2 C2 server
domainwindows-office365.com	Get2 C2 server
domainwindows-se-update.com	Get2 C2 server
domainwindows-service-en.com	Get2 C2 server
domainwindows-service-us.com	Get2 C2 server
domainwindows-several-update.com	Get2 C2 server
domainwindows-sys-update.com	Get2 C2 server
domainwindows-update-02-en.com	Get2 C2 server
domainwindows-update-sdbt.com	Get2 C2 server
domainwindows-update-sdfw.com	Get2 C2 server
domainwindows-update-sys.com	Get2 C2 server
domainwindows-upgrade-en.com	Get2 C2 server
domainwindows-wsus-en.com	Get2 C2 server
domainwindows-wsus-update.com	Get2 C2 server
domainwire-share.com	Get2 C2 server
domainwpad-home.com	Get2 C2 server
domainxbox-en-cnd.com	Get2 C2 server
domainxbox-ms-store-debug.com	SDBbot C2 server

Threat ID: 682c7adce3e6de8ceb778249

Added to database: 5/20/2025, 12:51:40 PM

Last enriched: 6/19/2025, 2:20:39 PM

Last updated: 7/31/2025, 5:04:39 PM

Related Threats

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Comment

Ip

Domain

Related Threats

ThreatFox IOCs for 2025-08-14

ThreatFox IOCs for 2025-08-13

ThreatFox IOCs for 2025-08-12

ThreatFox IOCs for 2025-08-11

ThreatFox IOCs for 2025-08-10

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility