# IOClist - url # # Use these IOCs at your own risk. # # See : http://www.botvrij.eu # https://solitary-dawn-61af.mfeagents.workers.dev/collector/3.0/ # url - ToddyCat: Keep calm and check logs (372) https://www.githubdd.workers.dev/fam/mfe?restart=false # url - ToddyCat: Keep calm and check logs (372) https://onedrive.live.com/?authkey=%21AAdO%2Di5%2DikrnuaA&id=79E2A760F4732317%21106&cid=79E2A760F4732317 # url - Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant (373) https://mctelemetryzone.com/favicon.ico # url - Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant (373) ws.onehub.com/files/7f9dxtt6 # url - MuddyWater eN-Able spear-phishing with new TTPs (376) a.storyblok.com/f/253959/x/b92ea48421/form.zip # url - MuddyWater eN-Able spear-phishing with new TTPs (376) a.storyblok.com/f/255988/x/5e0186f61d/questionnaire.zip # url - MuddyWater eN-Able spear-phishing with new TTPs (376) a.storyblok.com/f/259791/x/94f59e378f/questionnaire.zip # url - MuddyWater eN-Able spear-phishing with new TTPs (376) a.storyblok.com/f/259837/x/21e6a04837/defense-video.zip # url - MuddyWater eN-Able spear-phishing with new TTPs (376) a.storyblok.com/f/259791/x/91e2f5fa2f/attachments.zip # url - MuddyWater eN-Able spear-phishing with new TTPs (376) http://45.89.106.147:8080/mpsl # url - The attack against Danish critical infrastructure (377) http://45.89.106.147:8080/mips # url - The attack against Danish critical infrastructure (377) http://145.239.54.169/mipskiller # url - The attack against Danish critical infrastructure (377) http://176.124.32.84/mipskiller # url - The attack against Danish critical infrastructure (377) http://185.180.223.48/mipskiller # url - The attack against Danish critical infrastructure (377) http://91.235.234.81/proxy2 # url - The attack against Danish critical infrastructure (377) http://205.147.101.170:82/fuckjewishpeople.mips # url - The attack against Danish critical infrastructure (377) http://45.128.232.143/bins/paraiso.mips # url - The attack against Danish critical infrastructure (377) http://45.128.232.143/bins/libcurl1337.mips # url - The attack against Danish critical infrastructure (377) http://91.235.234.251/proxy1 # url - The attack against Danish critical infrastructure (377) https://MATCLICK.COM/WP-QUERY.PHP # url - AA23-347A Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (382) https[://]45.133.216.15:3000/ws # url - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware (386) http://on-global.xyz/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A== # url - BlueNoroff: new Trojan attacking macOS users (395) http://on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A== # url - BlueNoroff: new Trojan attacking macOS users (395) bitbucket.org/JulieHeilman/m100-firmware-mirror/downloads/ # url - StripedFly: Perennially flying under the radar (398) bitbucket.org/upgrades/um/downloads/ # url - StripedFly: Perennially flying under the radar (398) bitbucket.org/legit-updates/flash-player/downloads # url - StripedFly: Perennially flying under the radar (398) gitlab.com/JulieHeilman/m100-firmware-mirror/raw/master/ # url - StripedFly: Perennially flying under the radar (398) gitlab.com/saev3aeg/ugee8zee/raw/master/ # url - StripedFly: Perennially flying under the radar (398) github.com/amf9esiabnb/documents/releases/download/ # url - StripedFly: Perennially flying under the radar (398) tcp://pool.minexmr.com # url - StripedFly: Perennially flying under the radar (398) tcp://mine.aeon-pool.com # url - StripedFly: Perennially flying under the radar (398) tcp://5.255.86.125 # url - StripedFly: Perennially flying under the radar (398) tcp://45.9.148.21 # url - StripedFly: Perennially flying under the radar (398) tcp://45.9.148.36 # url - StripedFly: Perennially flying under the radar (398) tcp://45.9.148.132 # url - StripedFly: Perennially flying under the radar (398) http://trilivok.com/4g3031ar0/cb6y1dh/it.php # url - Exploring the Latest Mispadu Stealer Variant (399) https://plinqok.com/3dzy14ebg/buhumo0/it.php # url - Exploring the Latest Mispadu Stealer Variant (399) 24.199.98.128/expediente38/8869881268/8594605066.exe # url - Exploring the Latest Mispadu Stealer Variant (399) 24.199.98.128/verificacion58/6504926283/3072491614.exe # url - Exploring the Latest Mispadu Stealer Variant (399) 24.199.98.128/impresion73/5464893028/8024251449.exe # url - Exploring the Latest Mispadu Stealer Variant (399) http://107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=0193F0800193F080 # url - Zip uploaded from Iran exploiting cve-2023-38831 (404) http://107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=00AFF00000AFF000 # url - Zip uploaded from Iran exploiting cve-2023-38831 (404) http://107.172.79.5/h51z7qpNe35DecAvOKdf/index.php?dC1Zk3F=0018EAE00018EAE0 # url - Zip uploaded from Iran exploiting cve-2023-38831 (404) https://getfiledown.com/utdkt # url - Earth Preta Campaign Uses DOPLUGS to Target Asia (409) https://getfiledown.com/vgbskgyu # url - Earth Preta Campaign Uses DOPLUGS to Target Asia (409) https://getfilefox.com/enmjgwvt # url - Earth Preta Campaign Uses DOPLUGS to Target Asia (409) http://91.92.240.113/auth.js # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://91.92.240.113/login.cgi # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://91.92.240.113/aparche2 # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://91.92.240.113/agent # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://45.9.149.215/aparche2 # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://45.9.149.215/agent # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/lxrt # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/agent # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/instali.ps1 # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/ligocert.dat # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/angel.dat # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/windows.xml # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/instal1.ps1 # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/Maintenance.ps1 # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://94.156.71.115/baba.dat # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://oncloud-analytics.com/files/mg/elf/RT1.50.png # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) http://cloudflareaddons.com/assets/img/Image_Slider15.1.png # url - Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities (412) bezynet.com/OBS-Studio-30.0.2-Full-Installer-x64.msix # url - FakeBat delivered via several active malvertising campaigns (413) bezynet.com/Bandicam_7.21_win64.msix # url - FakeBat delivered via several active malvertising campaigns (413) church-notes.com/Braavos-Wallet.msix # url - FakeBat delivered via several active malvertising campaigns (413) church-notes.com/Epic-Games_Setup.msix # url - FakeBat delivered via several active malvertising campaigns (413) church-notes.com/Onenote_setup.msix # url - FakeBat delivered via several active malvertising campaigns (413) https://arr-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) https://storage.googleapis.com/alele/FAT.1705617082.zip # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) https://portu-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) https://storage.googleapis.com/alele/Fat.184949849.zip # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://avfa-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://factalia-ofh2cutija-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://gasgas-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://haergsd-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://jx-krrdbo6imq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://ptb-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://ptm-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://pto-wd3463btrq-uc.a.run.app # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://w3iuwl.nextmax.my.id/?5/ # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?76849368130628733 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?39829895502632947 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?61694995802639066 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?41991463280678058 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?51999170290693658 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://wae4w.mariomanagement.biz.id/?75129547751613994 # url - Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns (416) http://ads.hostloads.xyz/BAGUvIxJu32I0/gate.php # url - Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled (420) https://waterforvoiceless.org/invite.php # url - APT29 Uses WINELOADER to Target German Political Parties (421) https://siestakeying.com/auth.php # url - APT29 Uses WINELOADER to Target German Political Parties (421)