Created
June 14, 2023 21:19
-
-
Save BushidoUK/00cd11ef93f486cc5c89d25b5fb2ca2b to your computer and use it in GitHub Desktop.
Malicious Hostnames belonging to Malware Operators, Ransomware Groups, and Advanced Persistence Threats
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WIN-QQ80VPAFRNH | |
| 84.252.95.225 - SolarMarker | |
| 37.120.237.251 - SolarMarker | |
| 217.138.205.170 - Ursnif | |
| 185.236.202.184 - Pegasus, NSO Group | |
| DESKTOP-2NFCDE2 | |
| 94.142.138.32 - Aurora Stealer | |
| 45.15.156.250 - Aurora Stealer | |
| 45.15.156.40 - Raccoon Stealer | |
| 91.109.178.9 - njRAT | |
| DESKTOP-93VHU8M | |
| 108.177.235.131 - Cobalt Strike / Log4j | |
| 108.177.235.51 - Tor Exit Node | |
| 142.234.157.197 - Cobalt Strike | |
| 172.241.27.244 - Cobalt Strike | |
| 213.227.154.37 - Poste Italiane Spoofed Domains Registered through Reg[.]ru | |
| 142.234.157.172 - DoppelPaymer | |
| 23.106.122.13 - Follina Vulnerability (CVE-2022-30190) Attack Using "Antimicrobial Film Request" File (AhnLab) | |
| 23.106.160.185 - UNC1878 / Wizard Spider | |
| 23.106.160.61 - WizardSpider/EXOTIC LILY | |
| 23.106.160.86 - WizardSpider/EXOTIC LILY | |
| 23.82.19.130 - WizardSpider/EXOTIC LILY | |
| 23.82.140.136 - WizardSpider/EXOTIC LILY | |
| 108.177.235.212 - WizardSpider/EXOTIC LILY | |
| 213.227.154.175 - Sky-CNC (APT-C-48) | |
| WIN-4K804V6ADVQ | |
| 45.11.19.47 - Iranian APTs | |
| 23.106.215.76 - Iranian APTs (APT34) | |
| 108.62.141.247 - Iranian APTs (DNSpionage) | |
| 212.114.52.20 - Indian APTs (Donot) | |
| 160.20.147.219 - Lazarus (naversecurityteam[.]com) | |
| 23.106.215.179 - Cobalt Strike | |
| 160.20.147.113 - Cobalt Strike | |
| 23.19.58.43 - BlackBasta | |
| 172.93.181.93 - BumbleBee | |
| 45.138.172.51 - WizardSpider/Ryuk | |
| WIN-OQJUIMC71B6 | |
| 185.125.204.135 - WizardSpider/Ryuk/Log4j https://gist.github.com/MichaelKoczwara/f07ba36db360119b2999e0c28b92a08c | |
| 45.147.231.168 - AveMaria https://github.com/stamparm/maltrail/blob/master/trails/static/malware/avemaria.txt | |
| 45.147.231.113 - IcedID/Log4j https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/ | |
| WIN-344VU98D3RU | |
| 45.67.231.170 - WizardSpider/Trickbot | |
| 45.67.231.50 - Tor Exit Node/Redline https://blog.talosintelligence.com/threat-roundup-0212-0219/ | |
| 5.182.39.75 - Redline https://twitter.com/TrackerC2Bot/status/1618851723765743617?s=20 | |
| WIN-25FFVSIPLS1 | |
| 69.46.15.173 - Cobalt Strike https://twitter.com/drb_ra/status/1540783091467157506?s=20 | |
| Where they were orginally sighted before: | |
| WIN-799RI0TSTOF | |
| https://thedfirreport.com/2021/12/13/diavol-ransomware/ | |
| https://www.intrinsec.com/egregor-prolock/ | |
| WIN-4K804V6ADVQ | |
| DESKTOP-LHC2KTF | |
| DESKTOP-93VHU8M | |
| https://www.intrinsec.com/egregor-prolock/ | |
| WIN-OQJUIMC71B6 | |
| https://twitter.com/BushidoToken/status/1525204342944550918 | |
| https://twitter.com/teamcymru_S2/status/1525148703690047492 | |
| WIN-344VU98D3RU | |
| WIN-25FFVSIPLS1 | |
| https://twitter.com/teamcymru_S2/status/1525148703690047492 | |
| Look for new ones: | |
| https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22HIVELOCITY%2C+Inc.%22 | |
| https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22Leaseweb+USA%2C+Inc.%22 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I would add a few ones for LockBit:
WIN-1A6MJAAUVVE
WIN-R5E36NFGAR1
WIN-D5MLIHPRHA4
WIN-C9O8CM1648G
Pascal