Disrupting the GRIDTIDE Global Cyber Espionage Campaign
A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.
AI Analysis
Technical Summary
The GRIDTIDE campaign is a sophisticated global cyber espionage operation attributed to UNC2814, a threat actor group suspected to have ties to China, active since 2017. It targeted telecommunications and government organizations across four continents, compromising at least 53 victims in 42 countries, with additional suspected infections. The attackers deployed a custom backdoor named GRIDTIDE that uniquely leveraged the Google Sheets API as a command and control (C2) channel. This approach allowed the malware to send and receive commands disguised as legitimate cloud API traffic, thereby evading traditional network detection mechanisms. GRIDTIDE's capabilities include executing arbitrary shell commands on compromised hosts, transferring files to and from infected systems, and maintaining persistence. The campaign exploited API abuse techniques to blend malicious activity within normal cloud service usage patterns. The disruption of the campaign involved coordinated efforts to terminate attacker-controlled Google Cloud projects, disable their infrastructure, and revoke API access tokens, effectively cutting off the C2 channel. The use of cloud-based APIs for C2 represents an advanced tactic that complicates detection and response, as it leverages trusted cloud services. The campaign also employed various techniques mapped to MITRE ATT&CK tactics such as credential dumping, lateral movement, persistence, and defense evasion, indicating a highly capable adversary with extensive operational sophistication.
Potential Impact
The GRIDTIDE campaign poses significant risks to the confidentiality and integrity of sensitive information within telecommunications and government sectors globally. By compromising critical infrastructure organizations, the attackers could exfiltrate sensitive communications, strategic data, and government secrets, potentially impacting national security and competitive positioning. The use of legitimate cloud APIs for C2 complicates detection, increasing the likelihood of prolonged undetected access and data theft. The campaign’s persistence and ability to execute arbitrary commands also raise the risk of further lateral movement and disruption within victim networks. Organizations affected may face operational disruptions, loss of intellectual property, reputational damage, and regulatory consequences. The broad geographic scope and targeting of strategic sectors underscore the campaign’s potential to influence geopolitical dynamics and intelligence landscapes. Although no widespread destructive payloads were reported, the espionage nature of the campaign means long-term impacts on victim organizations’ security posture and trustworthiness of cloud services could be profound.
Mitigation Recommendations
To mitigate threats like GRIDTIDE, organizations should implement comprehensive monitoring of cloud API usage, specifically looking for anomalous patterns such as unusual Google Sheets API calls or unexpected data flows. Enforce strict least-privilege access controls and regularly audit API keys and OAuth tokens to prevent unauthorized use. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious shell command executions and file transfers. Conduct threat hunting exercises focused on detecting backdoors that leverage cloud services for C2. Integrate cloud security posture management (CSPM) tools to identify and remediate misconfigurations in cloud projects and services. Collaborate with cloud service providers to quickly revoke compromised credentials and disable malicious infrastructure. Educate security teams on emerging API abuse techniques and update incident response plans to include cloud API threat scenarios. Finally, maintain up-to-date threat intelligence feeds to stay informed on evolving tactics used by UNC2814 and similar actors.
Affected Countries
United States, China, India, Germany, United Kingdom, France, Brazil, Australia, Canada, South Korea, Japan, Russia, Italy, Mexico, South Africa
Indicators of Compromise
- ip: 38.60.194.21
- hash: 2d261e232233eb8027dc8c1fcc128682
- hash: be0a15969da42365acc8cbc91c9e8bed9b6362f5
- hash: 01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb
- hash: 4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9
- hash: 669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966
- hash: ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47
- hash: d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606
- hash: eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033
- ip: 130.94.6.228
- ip: 195.123.211.70
- ip: 38.54.112.184
- ip: 38.54.31.146
- ip: 38.54.32.244
- ip: 38.54.37.196
- ip: 38.54.82.69
- ip: 38.60.171.242
- ip: 38.60.224.25
- ip: 38.60.252.66
- url: http://130.94.6.228/update.tar.gz
- hash: 1edeca9e939da6ca58826170495b4045a2a74c0a
- domain: 1cv2f3d5s6a9w.ddnsfree.com
- domain: admina.freeddns.org
- domain: afsaces.accesscam.org
- domain: ancisesic.accesscam.org
- domain: applebox.camdvr.org
- domain: appler.kozow.com
- domain: asdad21ww.freeddns.org
- domain: aw2o25forsbc.camdvr.org
- domain: bab2o25com.accesscam.org
- domain: babaji.accesscam.org
- domain: babi5599ss.ddnsgeek.com
- domain: bibabo.freeddns.org
- domain: binmol.webredirect.org
- domain: boemobww.ddnsfree.com
- domain: brcallletme.theworkpc.com
- domain: btbtutil.theworkpc.com
- domain: btltan.ooguy.com
- domain: camcampkes.ddnsfree.com
- domain: camsqewivo.kozow.com
- domain: ccammutom.ddnsgeek.com
- domain: cdnvmtools.theworkpc.com
- domain: cloacpae.ddnsfree.com
- domain: cmwwoods1.theworkpc.com
- domain: cnrpaslceas.freeddns.org
- domain: codemicros12.gleeze.com
- domain: cressmiss.ooguy.com
- domain: cvabiasbae.ddnsfree.com
- domain: cvnoc01da1cjmnftsd.accesscam.org
- domain: cvpc01aenusocirem.accesscam.org
- domain: dclcwpdtsdcc.ddnsfree.com
- domain: dlpossie.ddnsfree.com
- domain: dnsfreedb.ddnsfree.com
- domain: evilginx2.loseyourip.com
- domain: examp1e.webredirect.org
- domain: fakjcsaeyhs.ddnsfree.com
- domain: fasceadvcva3.gleeze.com
- domain: ffosies2024.camdvr.org
- domain: fgdedd1dww.gleeze.com
- domain: filipinet.ddnsgeek.com
- domain: freeios.theworkpc.com
- domain: ftpuser14.gleeze.com
- domain: ftpzpak.kozow.com
- domain: globoss.kozow.com
- domain: gogo2025up.ddnsfree.com
- domain: googlel.gleeze.com
- domain: googles.accesscam.org
- domain: googles.ddnsfree.com
- domain: googlett.camdvr.org
- domain: googllabwws.gleeze.com
- domain: gtaldps31c.ddnsfree.com
- domain: hamkorg.kozow.com
- domain: honidoo.loseyourip.com
- domain: huygdr12.loseyourip.com
- domain: icekancusjhea.ddnsgeek.com
- domain: idstandsuui.kozow.com
- domain: indoodchat.theworkpc.com
- domain: jarvis001.freeddns.org
- domain: kaushalya.freeddns.org
- domain: khyes001ndfpnuewdm.kozow.com
- domain: kskxoscieontrolanel.gleeze.com
- domain: ksv01sokudwongsj.theworkpc.com
- domain: lcskiecjj.loseyourip.com
- domain: lcskiecs.ddnsfree.com
- domain: losiesca.ddnsgeek.com
- domain: lps2staging.ddnsfree.com
- domain: lsls.casacam.net
- domain: ltiuys.ddnsgeek.com
- domain: ltiuys.kozow.com
- domain: mailsdy.gleeze.com
- domain: maliclick1.ddnsfree.com
- domain: mauritasszddb.ddnsfree.com
- domain: meetls.kozow.com
- domain: microsoft.bumbleshrimp.com
- domain: ml3.freeddns.org
- domain: mlksucnayesk.kozow.com
- domain: mms.bumbleshrimp.com
- domain: modgood.gleeze.com
- domain: mosplosaq.accesscam.org
- domain: mysql.casacam.net
- domain: nenignenigoncqvoo.ooguy.com
- domain: nenigoncqnutgo.accesscam.org
- domain: nims.gleeze.com
- domain: nisaldwoa.theworkpc.com
- domain: nmszablogs.ddnsfree.com
- domain: nodekeny11.freeddns.org
- domain: npeoples.theworkpc.com
- domain: officeshan.kozow.com
- domain: okkstt.ddnsgeek.com
- domain: oldatain1.ddnsgeek.com
- domain: onlyosun.ooguy.com
- domain: osix.ddnsgeek.com
- domain: palamolscueajfvc.gleeze.com
- domain: pawanp.kozow.com
- domain: pcmainecia.ddnsfree.com
- domain: pcvmts3.kozow.com
- domain: peisuesacae.loseyourip.com
- domain: peowork.ddnsgeek.com
- domain: pepesetup.ddnsfree.com
- domain: pewsus.freeddns.org
- domain: plcoaweniva.ddnsgeek.com
- domain: policyagent.theworkpc.com
- domain: polokinyea.gleeze.com
- domain: pplodsssead222.loseyourip.com
- domain: pplosad231.kozow.com
- domain: ppsabedon.gleeze.com
- domain: prdanjana01.ddnsfree.com
- domain: prepaid127.freeddns.org
- domain: priftp.kozow.com
- domain: prihxlcs.ddnsfree.com
- domain: prihxlcsw.theworkpc.com
- domain: pxlaxvvva.freeddns.org
- domain: rabbit.ooguy.com
- domain: rsm323.kozow.com
- domain: scopps.ddnsgeek.com
- domain: sdhite43.ddnsfree.com
- domain: sdsuytoins63.kozow.com
- domain: selfad.gleeze.com
- domain: serious.kozow.com
- domain: setupcodpr2.freeddns.org
- domain: sgsn.accesscam.org
- domain: sn0son4t31bbsvopou.camdvr.org
- domain: sn0son4t31opc.freeddns.org
- domain: soovuy.gleeze.com
- domain: supceasfg1.loseyourip.com
- domain: systemsz.kozow.com
- domain: t31c0mjumpcuyerop.ooguy.com
- domain: t31c0mopamcuiomx.kozow.com
- domain: t31c0mopmiuewklg.webredirect.org
- domain: t31c0mopocuveop.accesscam.org
- domain: t3lc0mcanyqbfac.loseyourip.com
- domain: t3lc0mczmoihwc.camdvr.org
- domain: t3lc0mh4udncifw.casacam.net
- domain: t3lm0rtlcagratu.kozow.com
- domain: telen.bumbleshrimp.com
- domain: telkom.ooguy.com
- domain: telkomservices.theworkpc.com
- domain: thbio.kozow.com
- domain: timpe.kozow.com
- domain: timpe.webredirect.org
- domain: tlse001hdfuwwgdgpnn.theworkpc.com
- domain: tltlsktelko.ddnsfree.com
- domain: transport.dynuddns.net
- domain: trvcl.bumbleshrimp.com
- domain: ttsiou12.loseyourip.com
- domain: ua2o25yth.ddnsgeek.com
- domain: udieyg.gleeze.com
- domain: unnjunnani.ddnsfree.com
- domain: updatamail.kozow.com
- domain: updatasuccess.ddnsgeek.com
- domain: updateservices.kozow.com
- domain: uscplxsecjs.ddnsgeek.com
- domain: usoshared1.ddnsfree.com
- domain: vals.bumbleshrimp.com
- domain: vass.ooguy.com
- domain: vass2025.casacam.net
- domain: vmtools.camdvr.org
- domain: vmtools.loseyourip.com
- domain: vosies.ddnsfree.com
- domain: vpaspmine.freeddns.org
- domain: wdlcamaakc.ooguy.com
- domain: winfoss1.kozow.com
- domain: ysiohbk.camdvr.org
- domain: zammffayhd.ddnsfree.com
- domain: zmcmvmbm.ddnsfree.com
- domain: zwmn350n3o1fsdf3gs.kozow.com
- domain: zwmn350n3o1ugety2xbe.camdvr.org
- domain: zwmn350n3o1vsdrggs.ddnsfree.com
- domain: zwt310n3o1unety2kab.webredirect.org
- domain: zwt310n3o2unety6a3k.kozow.com
- domain: zwt31n3t0nidoqmve.camdvr.org
- domain: zwt3ln3t1aimckalw.theworkpc.com
Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Description
A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.
AI-Powered Analysis
Technical Analysis
The GRIDTIDE campaign is a sophisticated global cyber espionage operation attributed to UNC2814, a threat actor group suspected to have ties to China, active since 2017. It targeted telecommunications and government organizations across four continents, compromising at least 53 victims in 42 countries, with additional suspected infections. The attackers deployed a custom backdoor named GRIDTIDE that uniquely leveraged the Google Sheets API as a command and control (C2) channel. This approach allowed the malware to send and receive commands disguised as legitimate cloud API traffic, thereby evading traditional network detection mechanisms. GRIDTIDE's capabilities include executing arbitrary shell commands on compromised hosts, transferring files to and from infected systems, and maintaining persistence. The campaign exploited API abuse techniques to blend malicious activity within normal cloud service usage patterns. The disruption of the campaign involved coordinated efforts to terminate attacker-controlled Google Cloud projects, disable their infrastructure, and revoke API access tokens, effectively cutting off the C2 channel. The use of cloud-based APIs for C2 represents an advanced tactic that complicates detection and response, as it leverages trusted cloud services. The campaign also employed various techniques mapped to MITRE ATT&CK tactics such as credential dumping, lateral movement, persistence, and defense evasion, indicating a highly capable adversary with extensive operational sophistication.
Potential Impact
The GRIDTIDE campaign poses significant risks to the confidentiality and integrity of sensitive information within telecommunications and government sectors globally. By compromising critical infrastructure organizations, the attackers could exfiltrate sensitive communications, strategic data, and government secrets, potentially impacting national security and competitive positioning. The use of legitimate cloud APIs for C2 complicates detection, increasing the likelihood of prolonged undetected access and data theft. The campaign’s persistence and ability to execute arbitrary commands also raise the risk of further lateral movement and disruption within victim networks. Organizations affected may face operational disruptions, loss of intellectual property, reputational damage, and regulatory consequences. The broad geographic scope and targeting of strategic sectors underscore the campaign’s potential to influence geopolitical dynamics and intelligence landscapes. Although no widespread destructive payloads were reported, the espionage nature of the campaign means long-term impacts on victim organizations’ security posture and trustworthiness of cloud services could be profound.
Mitigation Recommendations
To mitigate threats like GRIDTIDE, organizations should implement comprehensive monitoring of cloud API usage, specifically looking for anomalous patterns such as unusual Google Sheets API calls or unexpected data flows. Enforce strict least-privilege access controls and regularly audit API keys and OAuth tokens to prevent unauthorized use. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious shell command executions and file transfers. Conduct threat hunting exercises focused on detecting backdoors that leverage cloud services for C2. Integrate cloud security posture management (CSPM) tools to identify and remediate misconfigurations in cloud projects and services. Collaborate with cloud service providers to quickly revoke compromised credentials and disable malicious infrastructure. Educate security teams on emerging API abuse techniques and update incident response plans to include cloud API threat scenarios. Finally, maintain up-to-date threat intelligence feeds to stay informed on evolving tactics used by UNC2814 and similar actors.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign"]
- Adversary
- UNC2814
- Pulse Id
- 69a028b4c9477a7b9420328f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip38.60.194.21 | — | |
ip130.94.6.228 | — | |
ip195.123.211.70 | — | |
ip38.54.112.184 | — | |
ip38.54.31.146 | — | |
ip38.54.32.244 | — | |
ip38.54.37.196 | — | |
ip38.54.82.69 | — | |
ip38.60.171.242 | — | |
ip38.60.224.25 | — | |
ip38.60.252.66 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2d261e232233eb8027dc8c1fcc128682 | — | |
hashbe0a15969da42365acc8cbc91c9e8bed9b6362f5 | — | |
hash01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb | — | |
hash4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9 | — | |
hash669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966 | — | |
hashce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47 | — | |
hashd25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606 | — | |
hasheb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033 | — | |
hash1edeca9e939da6ca58826170495b4045a2a74c0a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://130.94.6.228/update.tar.gz | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain1cv2f3d5s6a9w.ddnsfree.com | — | |
domainadmina.freeddns.org | — | |
domainafsaces.accesscam.org | — | |
domainancisesic.accesscam.org | — | |
domainapplebox.camdvr.org | — | |
domainappler.kozow.com | — | |
domainasdad21ww.freeddns.org | — | |
domainaw2o25forsbc.camdvr.org | — | |
domainbab2o25com.accesscam.org | — | |
domainbabaji.accesscam.org | — | |
domainbabi5599ss.ddnsgeek.com | — | |
domainbibabo.freeddns.org | — | |
domainbinmol.webredirect.org | — | |
domainboemobww.ddnsfree.com | — | |
domainbrcallletme.theworkpc.com | — | |
domainbtbtutil.theworkpc.com | — | |
domainbtltan.ooguy.com | — | |
domaincamcampkes.ddnsfree.com | — | |
domaincamsqewivo.kozow.com | — | |
domainccammutom.ddnsgeek.com | — | |
domaincdnvmtools.theworkpc.com | — | |
domaincloacpae.ddnsfree.com | — | |
domaincmwwoods1.theworkpc.com | — | |
domaincnrpaslceas.freeddns.org | — | |
domaincodemicros12.gleeze.com | — | |
domaincressmiss.ooguy.com | — | |
domaincvabiasbae.ddnsfree.com | — | |
domaincvnoc01da1cjmnftsd.accesscam.org | — | |
domaincvpc01aenusocirem.accesscam.org | — | |
domaindclcwpdtsdcc.ddnsfree.com | — | |
domaindlpossie.ddnsfree.com | — | |
domaindnsfreedb.ddnsfree.com | — | |
domainevilginx2.loseyourip.com | — | |
domainexamp1e.webredirect.org | — | |
domainfakjcsaeyhs.ddnsfree.com | — | |
domainfasceadvcva3.gleeze.com | — | |
domainffosies2024.camdvr.org | — | |
domainfgdedd1dww.gleeze.com | — | |
domainfilipinet.ddnsgeek.com | — | |
domainfreeios.theworkpc.com | — | |
domainftpuser14.gleeze.com | — | |
domainftpzpak.kozow.com | — | |
domaingloboss.kozow.com | — | |
domaingogo2025up.ddnsfree.com | — | |
domaingooglel.gleeze.com | — | |
domaingoogles.accesscam.org | — | |
domaingoogles.ddnsfree.com | — | |
domaingooglett.camdvr.org | — | |
domaingoogllabwws.gleeze.com | — | |
domaingtaldps31c.ddnsfree.com | — | |
domainhamkorg.kozow.com | — | |
domainhonidoo.loseyourip.com | — | |
domainhuygdr12.loseyourip.com | — | |
domainicekancusjhea.ddnsgeek.com | — | |
domainidstandsuui.kozow.com | — | |
domainindoodchat.theworkpc.com | — | |
domainjarvis001.freeddns.org | — | |
domainkaushalya.freeddns.org | — | |
domainkhyes001ndfpnuewdm.kozow.com | — | |
domainkskxoscieontrolanel.gleeze.com | — | |
domainksv01sokudwongsj.theworkpc.com | — | |
domainlcskiecjj.loseyourip.com | — | |
domainlcskiecs.ddnsfree.com | — | |
domainlosiesca.ddnsgeek.com | — | |
domainlps2staging.ddnsfree.com | — | |
domainlsls.casacam.net | — | |
domainltiuys.ddnsgeek.com | — | |
domainltiuys.kozow.com | — | |
domainmailsdy.gleeze.com | — | |
domainmaliclick1.ddnsfree.com | — | |
domainmauritasszddb.ddnsfree.com | — | |
domainmeetls.kozow.com | — | |
domainmicrosoft.bumbleshrimp.com | — | |
domainml3.freeddns.org | — | |
domainmlksucnayesk.kozow.com | — | |
domainmms.bumbleshrimp.com | — | |
domainmodgood.gleeze.com | — | |
domainmosplosaq.accesscam.org | — | |
domainmysql.casacam.net | — | |
domainnenignenigoncqvoo.ooguy.com | — | |
domainnenigoncqnutgo.accesscam.org | — | |
domainnims.gleeze.com | — | |
domainnisaldwoa.theworkpc.com | — | |
domainnmszablogs.ddnsfree.com | — | |
domainnodekeny11.freeddns.org | — | |
domainnpeoples.theworkpc.com | — | |
domainofficeshan.kozow.com | — | |
domainokkstt.ddnsgeek.com | — | |
domainoldatain1.ddnsgeek.com | — | |
domainonlyosun.ooguy.com | — | |
domainosix.ddnsgeek.com | — | |
domainpalamolscueajfvc.gleeze.com | — | |
domainpawanp.kozow.com | — | |
domainpcmainecia.ddnsfree.com | — | |
domainpcvmts3.kozow.com | — | |
domainpeisuesacae.loseyourip.com | — | |
domainpeowork.ddnsgeek.com | — | |
domainpepesetup.ddnsfree.com | — | |
domainpewsus.freeddns.org | — | |
domainplcoaweniva.ddnsgeek.com | — | |
domainpolicyagent.theworkpc.com | — | |
domainpolokinyea.gleeze.com | — | |
domainpplodsssead222.loseyourip.com | — | |
domainpplosad231.kozow.com | — | |
domainppsabedon.gleeze.com | — | |
domainprdanjana01.ddnsfree.com | — | |
domainprepaid127.freeddns.org | — | |
domainpriftp.kozow.com | — | |
domainprihxlcs.ddnsfree.com | — | |
domainprihxlcsw.theworkpc.com | — | |
domainpxlaxvvva.freeddns.org | — | |
domainrabbit.ooguy.com | — | |
domainrsm323.kozow.com | — | |
domainscopps.ddnsgeek.com | — | |
domainsdhite43.ddnsfree.com | — | |
domainsdsuytoins63.kozow.com | — | |
domainselfad.gleeze.com | — | |
domainserious.kozow.com | — | |
domainsetupcodpr2.freeddns.org | — | |
domainsgsn.accesscam.org | — | |
domainsn0son4t31bbsvopou.camdvr.org | — | |
domainsn0son4t31opc.freeddns.org | — | |
domainsoovuy.gleeze.com | — | |
domainsupceasfg1.loseyourip.com | — | |
domainsystemsz.kozow.com | — | |
domaint31c0mjumpcuyerop.ooguy.com | — | |
domaint31c0mopamcuiomx.kozow.com | — | |
domaint31c0mopmiuewklg.webredirect.org | — | |
domaint31c0mopocuveop.accesscam.org | — | |
domaint3lc0mcanyqbfac.loseyourip.com | — | |
domaint3lc0mczmoihwc.camdvr.org | — | |
domaint3lc0mh4udncifw.casacam.net | — | |
domaint3lm0rtlcagratu.kozow.com | — | |
domaintelen.bumbleshrimp.com | — | |
domaintelkom.ooguy.com | — | |
domaintelkomservices.theworkpc.com | — | |
domainthbio.kozow.com | — | |
domaintimpe.kozow.com | — | |
domaintimpe.webredirect.org | — | |
domaintlse001hdfuwwgdgpnn.theworkpc.com | — | |
domaintltlsktelko.ddnsfree.com | — | |
domaintransport.dynuddns.net | — | |
domaintrvcl.bumbleshrimp.com | — | |
domainttsiou12.loseyourip.com | — | |
domainua2o25yth.ddnsgeek.com | — | |
domainudieyg.gleeze.com | — | |
domainunnjunnani.ddnsfree.com | — | |
domainupdatamail.kozow.com | — | |
domainupdatasuccess.ddnsgeek.com | — | |
domainupdateservices.kozow.com | — | |
domainuscplxsecjs.ddnsgeek.com | — | |
domainusoshared1.ddnsfree.com | — | |
domainvals.bumbleshrimp.com | — | |
domainvass.ooguy.com | — | |
domainvass2025.casacam.net | — | |
domainvmtools.camdvr.org | — | |
domainvmtools.loseyourip.com | — | |
domainvosies.ddnsfree.com | — | |
domainvpaspmine.freeddns.org | — | |
domainwdlcamaakc.ooguy.com | — | |
domainwinfoss1.kozow.com | — | |
domainysiohbk.camdvr.org | — | |
domainzammffayhd.ddnsfree.com | — | |
domainzmcmvmbm.ddnsfree.com | — | |
domainzwmn350n3o1fsdf3gs.kozow.com | — | |
domainzwmn350n3o1ugety2xbe.camdvr.org | — | |
domainzwmn350n3o1vsdrggs.ddnsfree.com | — | |
domainzwt310n3o1unety2kab.webredirect.org | — | |
domainzwt310n3o2unety6a3k.kozow.com | — | |
domainzwt31n3t0nidoqmve.camdvr.org | — | |
domainzwt3ln3t1aimckalw.theworkpc.com | — |
Threat ID: 69a042c8b7ef31ef0b424ee0
Added to database: 2/26/2026, 12:55:36 PM
Last enriched: 2/26/2026, 1:14:43 PM
Last updated: 2/26/2026, 10:33:47 PM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
APT37 Adds New Capabilities for Air-Gapped Networks
MediumMaltrail IOC for 2026-02-26
MediumThreatFox IOCs for 2026-02-25
MediumMedical Device Maker UFP Technologies Hit by Cyberattack
MediumMaltrail IOC for 2026-02-25
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.