Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsPricingView Plans & Pricing
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

0
Medium
Unknownfr-classif:non-classifiees="non-classifiees"cossi:tlp="white"cossi:recherchesourceouverte="autorisee"cossi:fiabilite="bonne"misp-galaxy:threat-actor="fin11"misp-galaxy:threat-actor="ta505"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitecert-fr:fiabilite="bonne"tlp:clearpap:clear
Published: Mon Feb 08 2021 (02/08/2021, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 04/19/2026, 14:31:05 UTC

Technical Analysis

This report from CERT-FR provides an analysis of the attack infrastructure utilized by the cybercriminal group TA505, based on open-source intelligence. It identifies network activity and external analysis related to TA505 and the threat actor FIN11. The data does not describe specific vulnerabilities or exploits but serves to inform about the operational infrastructure of these threat actors. No affected software versions or patches are mentioned, and no known exploits in the wild are reported.

Potential Impact

The impact is primarily informational, providing insight into the infrastructure of TA505. There is no direct evidence of exploitation or vulnerabilities disclosed in this report. The information may assist defenders in recognizing and mitigating potential threats from this actor but does not indicate an immediate technical vulnerability or exploit.

Mitigation Recommendations

No specific patches or remediation actions are available or indicated. Organizations should consider this intelligence as part of their threat awareness and monitoring activities. Since no direct vulnerability or exploit is described, no urgent remediation is required based on this report alone.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Uuid
6021536f-a808-4b9c-8136-d7460aba047c
Original Timestamp
1776577177

Indicators of Compromise

Comment

ValueDescriptionCopy
commentRésultats de l'investigation sur l'infrastructure d'attaque de TA505
commentMontySpider
Cert-IST Attack Alias
commentTEMP.Warlock
Cert-IST Attack Alias
commentIOC extracted from a CERT-FR report (in French) that describes the infrastructures used by TA505 from August 2019 to February 2021. It describes in particular: the types of servers used: redirection servers, phishing servers, Get2 servers, SDbot servers. the Bullet-proof hosts used : VPSSC, FlowSpec. It indicates that TA505 now often uses Clop ransomware.
Cert-IST Description
commentSDbot
Cert-IST Malware Name
commentGet2
Cert-IST Malware Name

Ip

ValueDescriptionCopy
ip135.181.97.81
SDBbot C2 server [2020-11-29:]
ip158.255.208.148
SDBbot C2 server
ip158.255.208.168
SDBbot C2 server
ip176.121.14.112
Metasploit C2 server potentially linked to TA505 activity [2019-07-31:2019-07-31]
ip176.121.14.132
CobaltStrike C2 server potentially linked to TA505 activity [2019-07-17:2019-08-06]
ip176.121.14.140
CobaltStrike C2 server potentially linked to TA505 activity [2020-09-20:2021-02-04]
ip176.121.14.173
Metasploit C2 server potentially linked to TA505 activity [2019-09-23:2019-10-01]
ip176.121.14.175
Metasploit C2 server linked to TA505 activity [2020-03-06:2020-12-20]
ip176.121.14.183
Metasploit C2 server potentially linked to TA505 activity [2020-03-11:2020-11-13], CobaltStrike C2 server potentially linked to TA505 activity [2020-03-13:2020-11-08]
ip176.121.14.197
CobaltStrike C2 server potentially linked to TA505 activity [2020-11-23:2020-11-26]
ip176.121.14.199
Metasploit C2 server potentially linked to TA505 activity [2020-03-09:2020-05-16]
ip176.121.14.208
Metasploit C2 server potentially linked to TA505 activity [2020-04-12:2020-09-05]
ip176.121.14.226
Metasploit C2 server potentially linked to TA505 activity [2020-03-10:2020-12-22], CobaltStrike C2 server potentially linked to TA505 activity [2020-10-07:2020-10-07]
ip176.121.14.228
CobaltStrike C2 server potentially linked to TA505 activity [2020-05-08:2020-05-08]
ip176.121.14.229
CobaltStrike C2 server potentially linked to TA505 activity [2020-08-22:2021-01-31]
ip176.121.14.231
CobaltStrike C2 server potentially linked to TA505 activity [2020-07-28:2020-08-06]
ip176.121.14.232
Metasploit C2 server potentially linked to TA505 activity [2020-10-09:2021-01-15]
ip176.121.14.234
Metasploit C2 server potentially linked to TA505 activity [2020-11-05:2020-11-27]
ip176.121.14.235
Metasploit C2 server potentially linked to TA505 activity [2021-01-06:2021-01-14]
ip176.121.14.237
CobaltStrike C2 server potentially linked to TA505 activity [2020-08-19:2020-09-10], Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-03-21]
ip176.121.14.238
Metasploit C2 server linked to TA505 activity [2020-06-03:2020-12-16]
ip176.121.14.241
Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-12-18]
ip176.121.14.249
CobaltStrike C2 server potentially linked to TA505 activity [2020-10-06:2021-01-09]
ip176.121.14.251
CobaltStrike C2 server potentially linked to TA505 activity [2020-10-25:2021-01-30]
ip185.17.121.188
SDBbot C2 server
ip91.214.124.13
Metasploit C2 server potentially linked to TA505 activity [2019-10-07:2020-02-01]
ip91.214.124.18
Metasploit C2 server potentially linked to TA505 activity [2019-08-14:2019-10-15]
ip91.214.124.20
Metasploit C2 server linked to TA505 activity [2019-09-11:2020-02-07]
ip91.214.124.22
Metasploit C2 server potentially linked to TA505 activity [2019-10-04:2019-10-24]
ip91.214.124.25
Metasploit C2 server linked to TA505 activity [2019-12-19:2020-02-05]
ip91.214.124.29
Metasploit C2 server potentially linked to TA505 activity [2019-08-10:2019-11-03]
ip91.214.124.5
Metasploit C2 server linked to TA505 activity [2019-07-31:2020-02-03]
ip91.214.124.53
Metasploit C2 server potentially linked to TA505 activity [2019-09-03:2019-10-30]
ip91.214.124.54
Metasploit C2 server potentially linked to TA505 activity [2019-08-04:2020-01-10]
ip91.214.124.57
Metasploit C2 server potentially linked to TA505 activity [2020-01-29:2020-02-25]
ip91.214.124.64
Metasploit C2 server linked to TA505 activity [2019-11-13:2020-01-15], CobaltStrike C2 server potentially linked to TA505 activity [2019-12-21:2020-01-23]
ip92.38.135.217
SDBbot C2 server

Domain

ValueDescriptionCopy
domainalpha-telemetry-microsoft.com
Get2 C2 server
domainatt-download.com
Phishing server
domainauxin-box.com
SDBbot C2 server
domainbackup-place.com
Get2 C2 server
domainbak-home.com
Get2 C2 server
domainbak0-store.com
Get2 C2 server
domainband-switch.com
Get2 C2 server
domainbox-cdn.com
Phishing server
domainbox-cnd.com
Phishing server
domainbox-en-au.com
Phishing server
domainbox-en.com
Phishing server
domainboxfiles-en.com
Phishing server
domainboxrcdn.com
Phishing server
domaincdn-box.com
Phishing server
domaincdn-downloads.com
Phishing server
domaincdn-onedrive-live.com
Phishing server
domainclients-share.com
Phishing server
domainclietns-download.com
Get2 C2 server
domaincloud-store-cdn.com
Phishing server
domainclouds-cdn.com
Phishing server
domainclouds-doanload-cnd.com
Phishing server
domainclouds-share.com
Phishing server
domaincorp-downloads.com
Get2 C2 server
domaincorp-storage.com
Get2 C2 server
domaindata-downloads.com
Phishing server
domaindaumcdnf.com
Phishing server
domaindaumcdnr.com
Phishing server
domaindaumcdns.com
Phishing server
domaindef-update.com
Get2 C2 server
domaindefinite-limits.com
Get2 C2 server
domaindigitals-space.com
Phishing server
domaindirect-share.com
Phishing server
domaindirect-space.com
Phishing server
domaindirect-upt.com
Get2 C2 server
domaindl-icloud.com
Phishing server
domaindl-sharefile.com
Phishing server
domaindl-sync.com
Phishing server
domaindocs-downloading.com
Phishing server
domaindownload-cdn.com
Phishing server
domaindownload-shares.com
Phishing server
domaindownloads-links.com
Phishing server
domaindrm-google-analtyic.com
SDBbot C2 server
domaindrm-server-booking.com
SDBbot C2 server
domaindrm-server13-login-microsoftonline.com
SDBbot C2 server
domaindropbox-cdnn.com
Phishing server
domaindropbox-cdns.com
Phishing server
domaindropbox-cdnt.com
Phishing server
domaindropbox-cnd.com
Phishing server
domaindropbox-download-eu.com
Phishing server
domaindropbox-download.com
Phishing server
domaindropbox-en.com
Phishing server
domaindropbox-er.com
Phishing server
domaindropbox-eu.com
Phishing server
domaindropbox-sdn.com
Phishing server
domaindropboxccdn.com
Phishing server
domaindropboxrcdn.com
Phishing server
domaindropboxscdn.com
Phishing server
domaindropboxwcdn.com
Phishing server
domaindyn-downloads.com
Phishing server
domaindysoool.com
Get2 C2 server
domainegnytefs.com
Phishing server
domaineu-download.com
Phishing server
domaineu-global-online.com
SDBbot C2 server
domaineu-global.com
SDBbot C2 server
domainex-downloads.com
Phishing server
domainex-stores.com
Get2 C2 server
domainfacebook-drm-server3.com
SDBbot C2 server
domainfast-bits.com
Phishing server
domainfast-gl-backups.com
Get2 C2 server
domainfasts-downloads.com
Phishing server
domainfile-shares.com
Phishing server
domainfiles-downloads.com
Phishing server
domainfileshare-cdns.com
Phishing server
domainfileshare-cnd.com
Phishing server
domainfileshare-storage.com
Phishing server
domainfilesharess.com
Phishing server
domainfilessz.com
Get2 C2 server
domainfirst-destin.com
Get2 C2 server
domainfosdommtoi.com
Get2 C2 server
domaingeneral-lcfd.com
Get2 C2 server
domaingeo-st-microsoft.com
Get2 C2 server
domainget-downloads.com
Get2 C2 server
domainget-hlinks.com
Get2 C2 server
domaingetlink-service.com
Get2 C2 server
domainglobal-downloads.com
Phishing server
domainglobal-logic-stl.com
Get2 C2 server
domainglr-ltd.com
Get2 C2 server
domaingoing-tr.com
Get2 C2 server
domaingoogle-eu-cdn.com
Phishing server
domaingoogle-us-cdn.com
Phishing server
domaingoogledrive-download.com
Phishing server
domaingoogledrive-en.com
Phishing server
domaingoogledrive-eu.com
Phishing server
domaingoogledrive-gb.com
Phishing server
domaingroms-dat.com
Get2 C2 server
domainhome-storages.com
Get2 C2 server
domaini-sharecloud.com
Phishing server
domainint-download.com
Phishing server
domaininteger-ms-home.com
Get2 C2 server
domaininto-box.com
Get2 C2 server
domainjp-microsoft-store.com
SDBbot C2 server
domainlimo-ones.com
Get2 C2 server
domainlive-en.com
Get2 C2 server
domainlive-msr.com
Phishing server
domainlocal-download.com
Phishing server
domainlong-space.com
Phishing server
domainmain-boost.com
Get2 C2 server
domainmainten-ferrum.com
Get2 C2 server
domainmays-ltd.com
Get2 C2 server
domainmd-downloads.com
Phishing server
domainmgrs-service.com
Get2 C2 server
domainmicrosoft-cnd-en.com
Get2 C2 server
domainmicrosoft-cnd.com
Get2 C2 server
domainmicrosoft-debug-098.com
Get2 C2 server
domainmicrosoft-home-en.com
Get2 C2 server
domainmicrosoft-hub-us.com
Get2 C2 server
domainmicrosoft-live-us.com
Get2 C2 server
domainmicrosoft-online-en-us.com
Get2 C2 server
domainmicrosoft-sback-server.com
Get2 C2 server
domainmicrosoft-store-drm-server.com
Get2 C2 server
domainmicrosoft-store-en.com
Get2 C2 server
domainmicrosoft-ware.com
Get2 C2 server
domainmira-store.com
Get2 C2 server
domainmop-shere.com
Phishing server
domainms-break.com
Get2 C2 server
domainms-debug-services.com
Get2 C2 server
domainms-downloading.com
Phishing server
domainms-en-microsoft.com
Get2 C2 server
domainms-global-store.com
Get2 C2 server
domainms-home-live.com
Get2 C2 server
domainms-home-store.com
Get2 C2 server
domainms-pipes-service.com
Get2 C2 server
domainms-rdt.com
Get2 C2 server
domainms-upgrades.com
Get2 C2 server
domainmslinks-downloads.com
Phishing server
domainmsonebox.com
Get2 C2 server
domainmusic-server11-facebook.com
SDBbot C2 server
domainmusic-server17-facebook.com
SDBbot C2 server
domainnear-back.com
Get2 C2 server
domainnear-fast.com
Get2 C2 server
domainnellscorp.com
Get2 C2 server
domainnels-ltd.com
Get2 C2 server
domainnews-37876-mshome.com
SDBbot C2 server
domainnews-389767-mshome.com
SDBbot C2 server
domainnews-server-drm-google.com
SDBbot C2 server
domainnews-server17-yahoo.com
SDBbot C2 server
domainnffsd-corp.com
Get2 C2 server
domainnone-class.com
Get2 C2 server
domainoffice-en-service.com
Get2 C2 server
domainoffice-teml-en.com
Get2 C2 server
domainoffice365-en-gb.com
Get2 C2 server
domainoffice365-eu-update.com
Get2 C2 server
domainoffice365-update-en-gb.com
Get2 C2 server
domainoffice365-update-en.com
Get2 C2 server
domainoffice365-update-eu.com
Get2 C2 server
domainoffice365-us-update.com
Get2 C2 server
domainone-drive-ms.com
Phishing server
domainone-drive-storage.com
Phishing server
domainone-drives.com
Phishing server
domainonedrive-cdn.com
Phishing server
domainonedrive-download-en.com
Phishing server
domainonedrive-download.com
Phishing server
domainonedrive-en-eu.com
Phishing server
domainonedrive-en-live.com
Phishing server
domainonedrive-en.com
Phishing server
domainonedrive-eu.com
Phishing server
domainonedrive-fn.com
Phishing server
domainonedrive-live-en.com
Phishing server
domainonedrive-sd.com
Phishing server
domainonedrive-sdn.com
Phishing server
domainonedrive-sn.com
Phishing server
domainonedrive-us-en.com
Phishing server
domainonedrives-en-live.com
Phishing server
domainonehub-cdn.com
Phishing server
domainonehub-en.com
Phishing server
domainonesdrives.com
Phishing server
domainonline-office365.com
Get2 C2 server
domainonms-home.com
Get2 C2 server
domainown-eu-cloud.com
Phishing server
domainowncloud-cdn.com
Phishing server
domainpersonal-dss.com
Get2 C2 server
domainpssd-ltdgroup.com
Get2 C2 server
domainrapid-stores.com
Get2 C2 server
domainrdmsom.com
Get2 C2 server
domainres-backup.com
Get2 C2 server
domainreselling-corp.com
Get2 C2 server
domainriver-store.com
Phishing server
domainrmt-downloads.com
Phishing server
domains3-ap-southeast-1-amazonaws.com
SDBbot C2 server
domains3-ap-southeast-2-amazonaws.com
SDBbot C2 server
domains77657453-onedrive.com
SDBbot C2 server
domains89065339-onedrive.com
SDBbot C2 server
domainsdff-corp.com
Get2 C2 server
domainsee-back.com
Get2 C2 server
domainselling-group.com
Get2 C2 server
domainshare-clouds.com
Phishing server
domainshare-downloading.com
Phishing server
domainshare-stores.com
Phishing server
domainshared-cnd.com
Phishing server
domainshared-download.com
Phishing server
domainshared-downloads.com
Phishing server
domainshared-filez.com
Phishing server
domainsharefile-cnd.com
Phishing server
domainsharefile-us.com
Phishing server
domainsharefiles-download.com
Phishing server
domainsharefiles-en.com
Phishing server
domainsharefiles-eu.com
Phishing server
domainsharefileszz.com
Get2 C2 server
domainshares-cdns.com
Phishing server
domainshares-cloud.com
Phishing server
domainsharespoint-en.com
Phishing server
domainshort-share.com
Phishing server
domainshortcut-links.com
Phishing server
domainshr-links.com
Get2 C2 server
domainsiron-del.com
Get2 C2 server
domainsl-downloads.com
Phishing server
domainstat-downloads.com
Phishing server
domainstatic-downloads.com
Get2 C2 server
domainstatic-google-analtyic.com
SDBbot C2 server
domainstore-000846-live.com
SDBbot C2 server
domainstore-003774-live.com
SDBbot C2 server
domainstore-downloads.com
Phishing server
domainstore-in-box.com
Get2 C2 server
domainstt-box.com
Get2 C2 server
domainstudio-stlsdr.com
Get2 C2 server
domainsync-share.com
Phishing server
domainsyncdownload.com
Phishing server
domainsyncdownloading.com
Phishing server
domaintnrff-home.com
Get2 C2 server
domaintoppon-studio.com
Get2 C2 server
domaintransff-reddon.com
Get2 C2 server
domaintremd-space.com
Phishing server
domainupdate-ms-en-office365.com
Get2 C2 server
domainupdate-msoffice365.com
Get2 C2 server
domainupdate365-office-ens.com
Get2 C2 server
domainupgrade-ms-home.com
Get2 C2 server
domainurl-space.com
Phishing server
domainus-microsoft-store.com
SDBbot C2 server
domainusr-telemetry-microsoft.com
Get2 C2 server
domainwest-dat.com
Get2 C2 server
domainwindows-afx-update.com
Get2 C2 server
domainwindows-appstore-en.com
Get2 C2 server
domainwindows-avs-update.com
Get2 C2 server
domainwindows-cnd-update.com
Phishing server
domainwindows-dev-sec.com
Get2 C2 server
domainwindows-en-us-update.com
Get2 C2 server
domainwindows-fsd-update.com
Get2 C2 server
domainwindows-me-update.com
Get2 C2 server
domainwindows-msd-update.com
Get2 C2 server
domainwindows-office365.com
Get2 C2 server
domainwindows-se-update.com
Get2 C2 server
domainwindows-service-en.com
Get2 C2 server
domainwindows-service-us.com
Get2 C2 server
domainwindows-several-update.com
Get2 C2 server
domainwindows-sys-update.com
Get2 C2 server
domainwindows-update-02-en.com
Get2 C2 server
domainwindows-update-sdbt.com
Get2 C2 server
domainwindows-update-sdfw.com
Get2 C2 server
domainwindows-update-sys.com
Get2 C2 server
domainwindows-upgrade-en.com
Get2 C2 server
domainwindows-wsus-en.com
Get2 C2 server
domainwindows-wsus-update.com
Get2 C2 server
domainwire-share.com
Get2 C2 server
domainwpad-home.com
Get2 C2 server
domainxbox-en-cnd.com
Get2 C2 server
domainxbox-ms-store-debug.com
SDBbot C2 server

File

ValueDescriptionCopy
fileTLP-GREEN-TA-21-008-TA505-overview.pdf

Datetime

ValueDescriptionCopy
datetime2019-07-31T22:00:00+00:00
Cert-IST First Seen Date
datetime2021-02-07T23:00:00+00:00
Cert-IST First Disclosed Date

Link

ValueDescriptionCopy
linkhttps://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2019.067
Cert-IST External link

Text

ValueDescriptionCopy
textTA505
Cert-IST Attack name

Threat ID: 69e4e39d19fe3cd2cd5bea18

Added to database: 4/19/2026, 2:15:57 PM

Last enriched: 4/19/2026, 2:31:05 PM

Last updated: 4/19/2026, 6:20:56 PM

Views: 8

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses