Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

    Monday, December 23, 2024 In: Threat Research Print

    Date: 12/23/2024

    Severity: High

    Summary

    Earth Koshchei executed a sophisticated attack campaign using rogue Remote Desktop Protocol (RDP) tactics. The group employed red team tools for espionage and data exfiltration, utilizing spear-phishing emails to trick victims into connecting to malicious RDP servers via a compromised configuration file. This campaign involved over 200 newly registered domains and 193 RDP relays. To evade detection, Earth Koshchei masked its operations using commercial VPNs, TOR, and residential proxies, enhancing the stealthiness and complexity of the attack.

    Indicators of Compromise (IOC) List

    URL/Domain

    gov-au.cloud

    ua-mil.cloud

    mil-ee.cloud

    defence-au.cloud

    gov-aws.cloud

    gov-fi.cloud

    gov-gr.cloud

    gov-lt.cloud

    kam-lt.cloud

    mae-ro.cloud

    mfa-gov-tr.cloud

    aws-ukraine.cloud

    gov-ua.cloud

    govtr.cloud

    govua.cloud

    mfa-gov.cloud

    s3-army.cloud

    saiccloud.us

    ukrtelecom.cloud

    us-army.cloud

    us-mil.cloud

    awsplatform.online

    go-jp.cloud

    ua-gov.cloud

    gv-at.cloud

    s3-be.cloud

    ukrainesec.cloud

    amazonsolutions.cloud

    defense-gouv.cloud

    europa-eu.cloud

    gouv-fr.cloud

    mapn-ro.cloud

    mde-es.cloud

    mil-be.cloud

    mvep-hr.cloud

    s3-dk.cloud

    ua-sec.cloud

    dep-no.cloud

    difesa-it.cloud

    gov-pl.cloud

    morh-hr.cloud

    msz-pl.cloud

    quirinale.cloud

    mil-pl.cloud

    mzv-cz.cloud

    s3-nato.cloud

    gov-sk.cloud

    mzv-sk.cloud

    regeringskansliet-se.cloud

    s3-de.cloud

    ua-energy.cloud

    zixcorp.cloud

    bund-de.cloud

    mindef-nl.cloud

    presidencia-pt.cloud

    symbolsecurity.cloud

    trustifi.cloud

    s3-ua.cloud

    skykick.solutions

    softcat.cloud

    swcloud.us

    veeam.solutions

    shicloud.online

    s3-stig.cloud

    parseccomputer.cloud

    rrt.solutions

    rubrik.zone

    s3-proofpoint.cloud

    polycom.solutions

    pulsesecure.cloud

    s3-esa.cloud

    s3-rackspace.cloud

    servicenowinc.us

    aeinc.solutions

    capgemini.services

    mod-cloud.uk

    nrcc.cloud

    s3-dnc.cloud

    s3-knowbe4.cloud

    s3-pt.cloud

    sipacolumbia.us

    brookings.cloud

    citoc.cloud

    clari.cloud

    justice.technology

    s3-aws.global

    s3-blackberry.cloud

    4freerussia.cloud

    democracyendowment.cloud

    gmfus.cloud

    mimecast.cloud

    stratfor.cloud

    barracuda.solutions

    caci.solutions

    druva.cloud

    exclaimer.solutions

    mil-pt.cloud

    oktacloud.us

    s3-atlassian.cloud

    s3-monitoring.cloud

    s3-us.navy

    s3-zoho.cloud

    usaid.cloud

    wrapsnet.cloud

    zoommeeting.zone

    albrightstonebridge.cloud

    backupify.cloud

    cer.zone

    crisisgroup.services

    forces-gc.cloud

    heritagecloud.org

    s3-acronis.cloud

    s3-bah.cloud

    s3-cloud.us

    s3-fbi.cloud

    s3-rand.cloud

    s3-ucia.cloud

    zero-trust.solutions

    amazonmeeting.cloud

    aspeninstitute.cloud

    c-r.services

    ceip.cloud

    cepa.solutions

    cnas.zone

    eopgov.cloud

    freedomhouse.cloud

    gc-cloud.ca

    googlemeet.zone

    macfound.services

    microsoft-meeting.cloud

    prio.zone

    admin-ch.cloud

    americanprogress.cloud

    csbaonline.cloud

    s3-csis.cloud

    s3-dgap.cloud

    s3-ida.cloud

    s3-iri.cloud

    s3-state.cloud

    ua-aws.army

    usip.us

    asucloud.us

    clearancejobs.cloud

    cwinc.cloud

    europeanvalues.cloud

    google-meet.cloud

    microsoftmeeting.cloud

    s3-hudson.cloud

    s3-marcus.cloud

    s3-ned.cloud

    s3-spacex.cloud

    statecloud.us

    foreignpolicy.cloud

    mfa-gov-il.cloud

    mod-gov-il.cloud

    ms-meetings.online

    ncfta.cloud

    ncsc.solutions

    ndu.solutions

    opensocietyfoundations.cloud

    s3-aws.cloud

    s3.army

    wilsoncenter.cloud

    zoommeeting.today

    ecfr.cloud

    go-meet-up.com

    zoom-meeting.live

    aws-meet.cloud

    awsmeet.cloud

    go-conference.cloud

    go-meeting.online

    zoom-meeting.pro

    gov-lv.cloud

    aws-il.cloud

    awsmeetings.online

    cfr-aws.cloud

    go-meeting.cloud

    ms-conference.cloud

    ms-meeting.online

    zoom-meeting.cloud

    zoom-meeting.today

    zoom-meetings.cloud

    go-meet.pro

    ms-meeting.com

    msconferences.cloud

    aws-data.cloud

    aws-meetings.cloud

    aws-join.cloud

    gov-trust.cloud

    s3-nsa.cloud

    ssi-gouv-fr.cloud

    aws-online.cloud

    minbuza.cloud

    IP Address

    185.243.114.9

    5.187.49.186

    103.144.139.254

    185.177.126.225

    185.100.234.105

    45.137.21.10

    185.243.112.24

    185.243.115.124

    45.86.162.170

    46.30.189.91

    175.110.112.221

    92.204.164.50

    103.144.139.73

    103.144.139.74

    185.172.39.220

    5.183.95.158

    175.110.114.9

    46.30.189.62

    195.3.220.48

    46.30.188.187

    178.255.43.30

    104.161.58.10

    5.183.95.240

    37.28.153.214

    45.82.66.39

    103.144.139.253

    193.29.56.221

    162.216.243.210

    141.195.117.126

    141.195.117.127

    141.195.117.128

    141.195.117.129

    172.86.73.187

    155.138.238.169

    37.28.157.246

    185.187.155.69

    66.206.13.130

    185.172.39.230

    45.137.21.11

    45.11.230.105

    23.160.56.100

    45.141.58.60

    38.180.199.28

    45.134.110.83

    89.35.131.153

    185.76.79.244

    95.217.113.133

    185.187.155.74

    185.76.79.60

    141.195.117.125

    84.32.188.193

    38.180.146.210

    185.76.79.118

    2.58.201.112

    185.76.79.178

    38.180.146.193

    142.91.38.80

    84.32.188.197

    166.0.187.231

    89.46.234.115

    179.43.148.82

    178.239.171.41

    45.80.193.9

    179.43.180.74

    45.67.85.40

    5.133.9.252

    81.17.31.106

    38.180.90.36

    172.86.70.64

    185.76.79.130

    166.0.187.242

    151.236.16.149

    84.32.188.153

    185.187.155.81

    166.0.187.235

    45.134.111.123

    212.1.213.198

    151.236.16.220

    23.160.56.122

    166.0.187.243

    62.72.7.213

    151.236.16.226

    93.188.163.16

    2.58.203.61

    95.156.207.121

    185.216.72.196

    185.76.79.62

    162.252.172.167

    166.0.187.233

    84.32.188.148

    158.255.213.49

    38.180.146.230

    80.87.206.241

    158.255.213.227

    38.180.230.79

    37.1.196.172

    84.32.188.200

    109.205.214.50

    190.211.254.32

    109.205.214.45

    146.71.81.13

    185.187.155.33

    104.225.129.128

    109.205.214.52

    188.214.33.222

    93.188.164.74

    45.11.230.111

    23.160.56.105

    45.11.230.155

    45.11.231.9

    23.227.194.189

    166.0.187.236

    82.180.139.47

    23.160.56.110

    45.11.230.60

    38.180.83.120

    151.236.16.128

    158.255.213.185

    45.11.231.8

    23.108.190.249

    185.76.79.140

    178.162.203.91

    104.36.229.110

    166.0.187.241

    45.41.187.233

    23.160.56.115

    162.252.172.223

    149.154.158.205

    38.180.146.30

    151.236.16.236

    194.37.97.189

    151.236.16.98

    151.236.16.138

    166.0.187.245

    158.255.213.154

    162.252.175.233

    172.96.137.125

    212.1.213.200

    38.180.81.168

    185.187.155.72

    185.76.79.233

    38.180.146.216

    193.200.17.162

    2.58.200.78

    38.180.146.28

    151.236.16.24

    151.236.16.193

    151.236.16.22

    45.67.84.14

    162.252.172.158

    151.236.16.38

    198.50.106.140

    166.0.187.183

    2.58.201.27

    23.160.56.90

    149.154.158.250

    13.49.21.253

    45.134.111.126

    151.236.22.36

    38.180.88.106

    185.76.79.190

    38.180.146.32

    185.187.155.79

    162.252.172.155

    149.154.158.85

    89.46.234.152

    166.0.187.199

    185.76.79.167

    192.36.27.226

    185.187.155.78

    45.11.230.144

    23.160.56.123

    185.76.79.86

    38.180.5.60

    176.97.70.55

    166.0.187.252

    185.76.79.229

    185.76.79.59

    38.180.110.238

    45.134.110.78

    185.172.39.52

    198.50.106.141

    149.154.158.63

    185.216.72.192

    185.172.39.50

    2.58.200.79

    158.255.213.168

    45.141.58.59

    38.180.83.103

    89.46.234.93

    151.236.16.102

    158.255.213.192

    179.43.163.18

    46.19.141.186

    185.216.72.182

    192.121.23.126

    166.0.187.237

    209.182.225.10

    23.160.56.95

    38.180.137.213

    151.236.16.245

    2.58.200.80

    38.180.146.178

    38.180.91.2

    162.252.172.59

    185.187.155.71

    193.29.59.9

    151.236.15.134

    149.28.9.18

    45.134.110.82

    38.180.136.93

    135.181.130.232

    185.216.72.185

    2.58.14.80

    151.236.16.213

    45.134.110.55

    104.238.57.40

    162.252.172.109

    151.236.22.149

    192.36.57.107

    166.0.187.240

    45.137.213.17

    185.76.79.53

    185.76.79.16

    151.236.16.101

    104.238.60.216

    151.236.14.116

    185.172.39.51

    149.154.158.133

    38.180.146.29

    185.187.155.73

    46.249.38.131

    Hash

    50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1

648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6

280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0

f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8

ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46

8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5

36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542

2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9

a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448

1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881

f32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e

    Hostname

    DC.SUN.LOCAL

    DC.CHAIN.LOCAL

    DC.FINISH.LOCAL

    DC.FIRE.LOCAL

    DC.GEAR.LOCAL

    DC.GEO.LOCAL

    DC.HERO.LOCAL

    DC.KATANA.LOCAL

    DC.KEY.LOCAL

    DC.LAND.LOCAL

    DC.LIMBO.LOCAL

    DC.MARBLE.LOCAL

    DC.MAY.LOCAL

    DC.MAY.LOCAL

    DC.OCEAN.LOCAL

    DC.OFFICE.LOCAL

    DC.SAINT.LOCAL

    DC.TIGER.LOCAL

    DC.VIPER.LOCAL

    DC.AIR.LOCAL

    DC.BACON.LOCAL

    DC.BLACK.LOCAL

    DC.GREEN.LOCAL

    DC.HALLWAY.LOCAL

    DC.COLA.LOCAL

    DC.FINISH.LOCAL

    DC.PANDA.LOCAL

    DC.HDHP.LOCAL

    DC.EAGLE.LOCAL

    DC.EAGLE.LOCAL

    DC.EAGLE.LOCAL

    DC.EAGLE.LOCAL

    DC.KIWI.LOCAL

    DC.MAIN.LOCAL

    DC.TRACK.LOCAL

    DC.BOB.LOCAL

    DC.STAR.LOCAL

    DC.HAMMER.LOCAL

    DC.SONIC.LOCAL

    Subject

    AWS IAM Expansion Notification

    AWS IAM Identity Center Launch

    AWS Infrastructure Deployment

    AWS SDE - Secure Data Exchange

    AWS SDE Launch Notification

    AWS SDE: The Next Gen Platform for Secure Exchange

    Amazon & [REDACTED COUNTRY TLD] MoD

    Amazon's Next Step in Internet Data Exchange (ZTS)

    Cloud Infrastructure Extension Plan Update

    Compliance Check Required for New ZTS Platform

    Cyber Security Partnership Notification

    DMARC ViolationCompliance Check Required for New Platform

    DMARC ViolationIAM Identity Center: Unified Access

    DMARC ViolationMicrosoft & Amazon Security Partnership

    Data Protection Enhanced with Zero Trust Architecture

    IAM Identity Center Update

    IAM Identity Center: Unified Access

    Microsoft & Amazon Cloud Extension Update

    Microsoft & Amazon Security Partnership

    New AWS Platform Features

    New Platform – AWS Secure Data Exchange

    New Zero Trust Model Implementation on AWS

    Next Gen Secure Platform Launch

    Secure Data Exchange Update

    Secure and Compliant Access to All Resources Ahead

    Transparent Data Access via AWS Secure Data Exchange

    UA support

    ZTS Compliance Check Required

    ZTS Future of Data Exchange Ahead

    ZTS Implementation by Amazon & Microsoft

    Zero Trust Model Implementation

    Zero Trust Solution Testing in Progress

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "gov-sk.cloud" or url like "gov-sk.cloud" or userdomainname like "s3-cloud.us" or url like "s3-cloud.us" or userdomainname like "zoom-meetings.cloud" or url like "zoom-meetings.cloud" or userdomainname like "aws-data.cloud" or url like "aws-data.cloud" or userdomainname like "ssi-gouv-fr.cloud" or url like "ssi-gouv-fr.cloud" or userdomainname like "googlemeet.zone" or url like "googlemeet.zone" or userdomainname like "aws-meet.cloud" or url like "aws-meet.cloud" or userdomainname like "s3-dgap.cloud" or url like "s3-dgap.cloud" or userdomainname like "zoom-meeting.today" or url like "zoom-meeting.today" or userdomainname like "europa-eu.cloud" or url like "europa-eu.cloud" or userdomainname like "sipacolumbia.us" or url like "sipacolumbia.us" or userdomainname like "google-meet.cloud" or url like "google-meet.cloud" or userdomainname like "cer.zone" or url like "cer.zone" or userdomainname like "s3-dnc.cloud" or url like "s3-dnc.cloud" or userdomainname like "zoommeeting.today" or url like "zoommeeting.today" or userdomainname like "aws-ukraine.cloud" or url like "aws-ukraine.cloud" or userdomainname like "s3-state.cloud" or url like "s3-state.cloud" or userdomainname like "citoc.cloud" or url like "citoc.cloud" or userdomainname like "mfa-gov.cloud" or url like "mfa-gov.cloud" or userdomainname like "ms-meetings.online" or url like "ms-meetings.online" or userdomainname like "microsoftmeeting.cloud" or url like "microsoftmeeting.cloud" or userdomainname like "druva.cloud" or url like "druva.cloud" or userdomainname like "zoom-meeting.live" or url like "zoom-meeting.live" or userdomainname like "aws-il.cloud" or url like "aws-il.cloud" or userdomainname like "difesa-it.cloud" or url like "difesa-it.cloud" or userdomainname like "s3-ua.cloud" or url like "s3-ua.cloud" or userdomainname like "ua-aws.army" or url like "ua-aws.army" or userdomainname like "ua-mil.cloud" or url like "ua-mil.cloud" or userdomainname like "morh-hr.cloud" or url like "morh-hr.cloud" or userdomainname like "s3-rackspace.cloud" or url like "s3-rackspace.cloud" or userdomainname like "aws-online.cloud" or url like "aws-online.cloud" or userdomainname like "s3-knowbe4.cloud" or url like "s3-knowbe4.cloud" or userdomainname like "us-mil.cloud" or url like "us-mil.cloud" or userdomainname like "gov-gr.cloud" or url like "gov-gr.cloud" or userdomainname like "amazonsolutions.cloud" or url like "amazonsolutions.cloud" or userdomainname like "wilsoncenter.cloud" or url like "wilsoncenter.cloud" or userdomainname like "regeringskansliet-se.cloud" or url like "regeringskansliet-se.cloud" or userdomainname like "amazonmeeting.cloud" or url like "amazonmeeting.cloud" or userdomainname like "awsmeetings.online" or url like "awsmeetings.online" or userdomainname like "ms-meeting.com" or url like "ms-meeting.com" or userdomainname like "s3-zoho.cloud" or url like "s3-zoho.cloud" or userdomainname like "s3-monitoring.cloud" or url like "s3-monitoring.cloud" or userdomainname like "dep-no.cloud" or url like "dep-no.cloud" or userdomainname like "usaid.cloud" or url like "usaid.cloud" or userdomainname like "mfa-gov-il.cloud" or url like "mfa-gov-il.cloud" or userdomainname like "heritagecloud.org" or url like "heritagecloud.org" or userdomainname like "europeanvalues.cloud" or url like "europeanvalues.cloud" or userdomainname like "ua-gov.cloud" or url like "ua-gov.cloud" or userdomainname like "s3-de.cloud" or url like "s3-de.cloud" or userdomainname like "ncfta.cloud" or url like "ncfta.cloud" or userdomainname like "trustifi.cloud" or url like "trustifi.cloud" or userdomainname like "prio.zone" or url like "prio.zone" or userdomainname like "aspeninstitute.cloud" or url like "aspeninstitute.cloud" or userdomainname like "s3-acronis.cloud" or url like "s3-acronis.cloud" or userdomainname like "s3-hudson.cloud" or url like "s3-hudson.cloud" or userdomainname like "s3-csis.cloud" or url like "s3-csis.cloud" or userdomainname like "s3-us.navy" or url like "s3-us.navy" or userdomainname like "statecloud.us" or url like "statecloud.us" or userdomainname like "gov-ua.cloud" or url like "gov-ua.cloud" or userdomainname like "s3-bah.cloud" or url like "s3-bah.cloud" or userdomainname like "servicenowinc.us" or url like "servicenowinc.us" or userdomainname like "usip.us" or url like "usip.us" or userdomainname like "eopgov.cloud" or url like "eopgov.cloud" or userdomainname like "zoom-meeting.cloud" or url like "zoom-meeting.cloud" or userdomainname like "gov-au.cloud" or url like "gov-au.cloud" or userdomainname like "s3-stig.cloud" or url like "s3-stig.cloud" or userdomainname like "foreignpolicy.cloud" or url like "foreignpolicy.cloud" or userdomainname like "albrightstonebridge.cloud" or url like "albrightstonebridge.cloud" or userdomainname like "gmfus.cloud" or url like "gmfus.cloud" or userdomainname like "mvep-hr.cloud" or url like "mvep-hr.cloud" or userdomainname like "mapn-ro.cloud" or url like "mapn-ro.cloud" or userdomainname like "mae-ro.cloud" or url like "mae-ro.cloud" or userdomainname like "ms-meeting.online" or url like "ms-meeting.online" or userdomainname like "presidencia-pt.cloud" or url like "presidencia-pt.cloud" or userdomainname like "s3-aws.global" or url like "s3-aws.global" or userdomainname like "defense-gouv.cloud" or url like "defense-gouv.cloud" or userdomainname like "oktacloud.us" or url like "oktacloud.us" or userdomainname like "cnas.zone" or url like "cnas.zone" or userdomainname like "s3-nato.cloud" or url like "s3-nato.cloud" or userdomainname like "s3-ida.cloud" or url like "s3-ida.cloud" or userdomainname like "freedomhouse.cloud" or url like "freedomhouse.cloud" or userdomainname like "awsplatform.online" or url like "awsplatform.online" or userdomainname like "ecfr.cloud" or url like "ecfr.cloud" or userdomainname like "zixcorp.cloud" or url like "zixcorp.cloud" or userdomainname like "s3-ucia.cloud" or url like "s3-ucia.cloud" or userdomainname like "awsmeet.cloud" or url like "awsmeet.cloud" or userdomainname like "msconferences.cloud" or url like "msconferences.cloud" or userdomainname like "shicloud.online" or url like "shicloud.online" or userdomainname like "defence-au.cloud" or url like "defence-au.cloud" or userdomainname like "s3.army" or url like "s3.army" or userdomainname like "symbolsecurity.cloud" or url like "symbolsecurity.cloud" or userdomainname like "microsoft-meeting.cloud" or url like "microsoft-meeting.cloud" or userdomainname like "mil-pt.cloud" or url like "mil-pt.cloud" or userdomainname like "s3-spacex.cloud" or url like "s3-spacex.cloud" or userdomainname like "rubrik.zone" or url like "rubrik.zone" or userdomainname like "go-jp.cloud" or url like "go-jp.cloud" or userdomainname like "gov-pl.cloud" or url like "gov-pl.cloud" or userdomainname like "ua-energy.cloud" or url like "ua-energy.cloud" or userdomainname like "mil-be.cloud" or url like "mil-be.cloud" or userdomainname like "s3-army.cloud" or url like "s3-army.cloud" or userdomainname like "govua.cloud" or url like "govua.cloud" or userdomainname like "mimecast.cloud" or url like "mimecast.cloud" or userdomainname like "aws-meetings.cloud" or url like "aws-meetings.cloud" or userdomainname like "s3-nsa.cloud" or url like "s3-nsa.cloud" or userdomainname like "csbaonline.cloud" or url like "csbaonline.cloud" or userdomainname like "stratfor.cloud" or url like "stratfor.cloud" or userdomainname like "democracyendowment.cloud" or url like "democracyendowment.cloud" or userdomainname like "gov-lv.cloud" or url like "gov-lv.cloud" or userdomainname like "mfa-gov-tr.cloud" or url like "mfa-gov-tr.cloud" or userdomainname like "go-conference.cloud" or url like "go-conference.cloud" or userdomainname like "cfr-aws.cloud" or url like "cfr-aws.cloud" or userdomainname like "asucloud.us" or url like "asucloud.us" or userdomainname like "minbuza.cloud" or url like "minbuza.cloud" or userdomainname like "s3-pt.cloud" or url like "s3-pt.cloud" or userdomainname like "gov-fi.cloud" or url like "gov-fi.cloud" or userdomainname like "gov-aws.cloud" or url like "gov-aws.cloud" or userdomainname like "clari.cloud" or url like "clari.cloud" or userdomainname like "mil-pl.cloud" or url like "mil-pl.cloud" or userdomainname like "s3-proofpoint.cloud" or url like "s3-proofpoint.cloud" or userdomainname like "ukrainesec.cloud" or url like "ukrainesec.cloud" or userdomainname like "mde-es.cloud" or url like "mde-es.cloud" or userdomainname like "saiccloud.us" or url like "saiccloud.us" or userdomainname like "backupify.cloud" or url like "backupify.cloud" or userdomainname like "mzv-cz.cloud" or url like "mzv-cz.cloud" or userdomainname like "swcloud.us" or url like "swcloud.us"

    Detection Query 2

    userdomainname like "mil-ee.cloud" or url like "mil-ee.cloud" or userdomainname like "gov-lt.cloud" or url like "gov-lt.cloud" or userdomainname like "kam-lt.cloud" or url like "kam-lt.cloud" or userdomainname like "govtr.cloud" or url like "govtr.cloud" or userdomainname like "ukrtelecom.cloud" or url like "ukrtelecom.cloud" or userdomainname like "us-army.cloud" or url like "us-army.cloud" or userdomainname like "gv-at.cloud" or url like "gv-at.cloud" or userdomainname like "s3-be.cloud" or url like "s3-be.cloud" or userdomainname like "gouv-fr.cloud" or url like "gouv-fr.cloud" or userdomainname like "s3-dk.cloud" or url like "s3-dk.cloud" or userdomainname like "ua-sec.cloud" or url like "ua-sec.cloud" or userdomainname like "msz-pl.cloud" or url like "msz-pl.cloud" or userdomainname like "quirinale.cloud" or url like "quirinale.cloud" or userdomainname like "mzv-sk.cloud" or url like "mzv-sk.cloud" or userdomainname like "bund-de.cloud" or url like "bund-de.cloud" or userdomainname like "mindef-nl.cloud" or url like "mindef-nl.cloud" or userdomainname like "skykick.solutions" or url like "skykick.solutions" or userdomainname like "softcat.cloud" or url like "softcat.cloud" or userdomainname like "parseccomputer.cloud" or url like "parseccomputer.cloud" or userdomainname like "rrt.solutions" or url like "rrt.solutions" or userdomainname like "polycom.solutions" or url like "polycom.solutions" or userdomainname like "pulsesecure.cloud" or url like "pulsesecure.cloud" or userdomainname like "s3-esa.cloud" or url like "s3-esa.cloud" or userdomainname like "capgemini.services" or url like "capgemini.services" or userdomainname like "mod-cloud.uk" or url like "mod-cloud.uk" or userdomainname like "nrcc.cloud" or url like "nrcc.cloud" or userdomainname like "brookings.cloud" or url like "brookings.cloud" or userdomainname like "justice.technology" or url like "justice.technology" or userdomainname like "s3-blackberry.cloud" or url like "s3-blackberry.cloud" or userdomainname like "4freerussia.cloud" or url like "4freerussia.cloud" or userdomainname like "barracuda.solutions" or url like "barracuda.solutions" or userdomainname like "caci.solutions" or url like "caci.solutions" or userdomainname like "exclaimer.solutions" or url like "exclaimer.solutions" or userdomainname like "s3-atlassian.cloud" or url like "s3-atlassian.cloud" or userdomainname like "wrapsnet.cloud" or url like "wrapsnet.cloud" or userdomainname like "zoommeeting.zone" or url like "zoommeeting.zone" or userdomainname like "crisisgroup.services" or url like "crisisgroup.services" or userdomainname like "forces-gc.cloud" or url like "forces-gc.cloud" or userdomainname like "s3-fbi.cloud" or url like "s3-fbi.cloud" or userdomainname like "s3-rand.cloud" or url like "s3-rand.cloud" or userdomainname like "zero-trust.solutions" or url like "zero-trust.solutions" or userdomainname like "c-r.services" or url like "c-r.services" or userdomainname like "ceip.cloud" or url like "ceip.cloud" or userdomainname like "cepa.solutions" or url like "cepa.solutions" or userdomainname like "gc-cloud.ca" or url like "gc-cloud.ca" or userdomainname like "macfound.services" or url like "macfound.services" or userdomainname like "admin-ch.cloud" or url like "admin-ch.cloud" or userdomainname like "americanprogress.cloud" or url like "americanprogress.cloud" or userdomainname like "s3-iri.cloud" or url like "s3-iri.cloud" or userdomainname like "clearancejobs.cloud" or url like "clearancejobs.cloud" or userdomainname like "cwinc.cloud" or url like "cwinc.cloud" or userdomainname like "s3-marcus.cloud" or url like "s3-marcus.cloud" or userdomainname like "s3-ned.cloud" or url like "s3-ned.cloud" or userdomainname like "mod-gov-il.cloud" or url like "mod-gov-il.cloud" or userdomainname like "ncsc.solutions" or url like "ncsc.solutions" or userdomainname like "ndu.solutions" or url like "ndu.solutions" or userdomainname like "opensocietyfoundations.cloud" or url like "opensocietyfoundations.cloud" or userdomainname like "s3-aws.cloud" or url like "s3-aws.cloud" or userdomainname like "go-meet-up.com" or url like "go-meet-up.com" or userdomainname like "go-meeting.online" or url like "go-meeting.online" or userdomainname like "zoom-meeting.pro" or url like "zoom-meeting.pro" or userdomainname like "go-meeting.cloud" or url like "go-meeting.cloud" or userdomainname like "ms-conference.cloud" or url like "ms-conference.cloud" or userdomainname like "go-meet.pro" or url like "go-meet.pro" or userdomainname like "aws-join.cloud" or url like "aws-join.cloud" or userdomainname like "gov-trust.cloud" or url like "gov-trust.cloud"

    Detection Query 3

    dstipaddress IN ("166.0.187.237","162.252.175.233","185.187.155.33","38.180.146.32","192.36.27.226","37.1.196.172","185.187.155.72","2.58.201.27","198.50.106.140","198.50.106.141","38.180.146.210","151.236.16.22","151.236.16.38","158.255.213.192","176.97.70.55","38.180.146.30","158.255.213.49","109.205.214.45","23.160.56.95","5.183.95.240","185.187.155.73","185.172.39.220","172.96.137.125","185.76.79.178","38.180.136.93","13.49.21.253","209.182.225.10","185.216.72.185","2.58.200.79","45.134.110.82","151.236.22.149","95.156.207.121","84.32.188.197","149.154.158.85","158.255.213.185","84.32.188.193","185.76.79.244","179.43.148.82","185.76.79.167","89.46.234.115","45.11.230.144","185.76.79.60","166.0.187.233","166.0.187.245","151.236.16.193","192.36.57.107","158.255.213.154","151.236.16.236","185.172.39.51","38.180.146.216","179.43.163.18","38.180.90.36","194.37.97.189","151.236.16.24","185.216.72.196","146.71.81.13","151.236.14.116","103.144.139.254","23.160.56.100","141.195.117.129","23.160.56.122","162.252.172.155","151.236.16.101","166.0.187.183","23.160.56.115","141.195.117.126","151.236.22.36","84.32.188.148","166.0.187.252","2.58.14.80","185.177.126.225","104.161.58.10","212.1.213.198","45.137.21.10","45.134.110.78","45.11.230.105","185.172.39.52","185.172.39.50","45.137.213.17","185.187.155.78","155.138.238.169","162.216.243.210","178.255.43.30","166.0.187.235","38.180.146.28","46.19.141.186","45.137.21.11","38.180.88.106","185.172.39.230","104.36.229.110","23.108.190.249","38.180.230.79","45.11.230.155","38.180.146.230","38.180.146.178","38.180.91.2","2.58.200.80","193.200.17.162","38.180.146.193","45.134.111.126","38.180.5.60","149.28.9.18","45.80.193.9","104.238.60.216","151.236.16.220","141.195.117.127","45.41.187.233","84.32.188.153","158.255.213.168","38.180.110.238","192.121.23.126","103.144.139.73","166.0.187.241","142.91.38.80","93.188.163.16","45.134.110.55","149.154.158.205","172.86.73.187","151.236.15.134","151.236.16.102","185.76.79.229","162.252.172.59","151.236.16.213","45.141.58.59","95.217.113.133","84.32.188.200","141.195.117.125","185.76.79.233","166.0.187.240","185.100.234.105","46.249.38.131","178.239.171.41","45.134.110.83","81.17.31.106","45.11.231.8","46.30.189.62","185.187.155.79","166.0.187.236","2.58.203.61","45.11.230.111","109.205.214.50","190.211.254.32","104.225.129.128","109.205.214.52","188.214.33.222","93.188.164.74","23.160.56.105","45.11.231.9","23.227.194.189","82.180.139.47","23.160.56.110","45.11.230.60","38.180.83.120","151.236.16.128","185.76.79.140","178.162.203.91","162.252.172.223","151.236.16.98","151.236.16.138","212.1.213.200","38.180.81.168","2.58.200.78","45.67.84.14","162.252.172.158","23.160.56.90","149.154.158.250","185.76.79.190","89.46.234.152","166.0.187.199","23.160.56.123","185.76.79.86","185.76.79.59","149.154.158.63","185.216.72.192","38.180.83.103","89.46.234.93","185.216.72.182","38.180.137.213","151.236.16.245","185.187.155.71","193.29.59.9","135.181.130.232","104.238.57.40","162.252.172.109","185.76.79.53","185.76.79.16","149.154.158.133","38.180.146.29") or ipaddress IN ("166.0.187.237","162.252.175.233","185.187.155.33","38.180.146.32","192.36.27.226","37.1.196.172","185.187.155.72","2.58.201.27","198.50.106.140","198.50.106.141","38.180.146.210","151.236.16.22","151.236.16.38","158.255.213.192","176.97.70.55","38.180.146.30","158.255.213.49","109.205.214.45","23.160.56.95","5.183.95.240","185.187.155.73","185.172.39.220","172.96.137.125","185.76.79.178","38.180.136.93","13.49.21.253","209.182.225.10","185.216.72.185","2.58.200.79","45.134.110.82","151.236.22.149","95.156.207.121","84.32.188.197","149.154.158.85","158.255.213.185","84.32.188.193","185.76.79.244","179.43.148.82","185.76.79.167","89.46.234.115","45.11.230.144","185.76.79.60","166.0.187.233","166.0.187.245","151.236.16.193","192.36.57.107","158.255.213.154","151.236.16.236","185.172.39.51","38.180.146.216","179.43.163.18","38.180.90.36","194.37.97.189","151.236.16.24","185.216.72.196","146.71.81.13","151.236.14.116","103.144.139.254","23.160.56.100","141.195.117.129","23.160.56.122","162.252.172.155","151.236.16.101","166.0.187.183","23.160.56.115","141.195.117.126","151.236.22.36","84.32.188.148","166.0.187.252","2.58.14.80","185.177.126.225","104.161.58.10","212.1.213.198","45.137.21.10","45.134.110.78","45.11.230.105","185.172.39.52","185.172.39.50","45.137.213.17","185.187.155.78","155.138.238.169","162.216.243.210","178.255.43.30","166.0.187.235","38.180.146.28","46.19.141.186","45.137.21.11","38.180.88.106","185.172.39.230","104.36.229.110","23.108.190.249","38.180.230.79","45.11.230.155","38.180.146.230","38.180.146.178","38.180.91.2","2.58.200.80","193.200.17.162","38.180.146.193","45.134.111.126","38.180.5.60","149.28.9.18","45.80.193.9","104.238.60.216","151.236.16.220","141.195.117.127","45.41.187.233","84.32.188.153","158.255.213.168","38.180.110.238","192.121.23.126","103.144.139.73","166.0.187.241","142.91.38.80","93.188.163.16","45.134.110.55","149.154.158.205","172.86.73.187","151.236.15.134","151.236.16.102","185.76.79.229","162.252.172.59","151.236.16.213","45.141.58.59","95.217.113.133","84.32.188.200","141.195.117.125","185.76.79.233","166.0.187.240","185.100.234.105","46.249.38.131","178.239.171.41","45.134.110.83","81.17.31.106","45.11.231.8","46.30.189.62","185.187.155.79","166.0.187.236","2.58.203.61","45.11.230.111","109.205.214.50","190.211.254.32","104.225.129.128","109.205.214.52","188.214.33.222","93.188.164.74","23.160.56.105","45.11.231.9","23.227.194.189","82.180.139.47","23.160.56.110","45.11.230.60","38.180.83.120","151.236.16.128","185.76.79.140","178.162.203.91","162.252.172.223","151.236.16.98","151.236.16.138","212.1.213.200","38.180.81.168","2.58.200.78","45.67.84.14","162.252.172.158","23.160.56.90","149.154.158.250","185.76.79.190","89.46.234.152","166.0.187.199","23.160.56.123","185.76.79.86","185.76.79.59","149.154.158.63","185.216.72.192","38.180.83.103","89.46.234.93","185.216.72.182","38.180.137.213","151.236.16.245","185.187.155.71","193.29.59.9","135.181.130.232","104.238.57.40","162.252.172.109","185.76.79.53","185.76.79.16","149.154.158.133","38.180.146.29") or publicipaddress IN ("166.0.187.237","162.252.175.233","185.187.155.33","38.180.146.32","192.36.27.226","37.1.196.172","185.187.155.72","2.58.201.27","198.50.106.140","198.50.106.141","38.180.146.210","151.236.16.22","151.236.16.38","158.255.213.192","176.97.70.55","38.180.146.30","158.255.213.49","109.205.214.45","23.160.56.95","5.183.95.240","185.187.155.73","185.172.39.220","172.96.137.125","185.76.79.178","38.180.136.93","13.49.21.253","209.182.225.10","185.216.72.185","2.58.200.79","45.134.110.82","151.236.22.149","95.156.207.121","84.32.188.197","149.154.158.85","158.255.213.185","84.32.188.193","185.76.79.244","179.43.148.82","185.76.79.167","89.46.234.115","45.11.230.144","185.76.79.60","166.0.187.233","166.0.187.245","151.236.16.193","192.36.57.107","158.255.213.154","151.236.16.236","185.172.39.51","38.180.146.216","179.43.163.18","38.180.90.36","194.37.97.189","151.236.16.24","185.216.72.196","146.71.81.13","151.236.14.116","103.144.139.254","23.160.56.100","141.195.117.129","23.160.56.122","162.252.172.155","151.236.16.101","166.0.187.183","23.160.56.115","141.195.117.126","151.236.22.36","84.32.188.148","166.0.187.252","2.58.14.80","185.177.126.225","104.161.58.10","212.1.213.198","45.137.21.10","45.134.110.78","45.11.230.105","185.172.39.52","185.172.39.50","45.137.213.17","185.187.155.78","155.138.238.169","162.216.243.210","178.255.43.30","166.0.187.235","38.180.146.28","46.19.141.186","45.137.21.11","38.180.88.106","185.172.39.230","104.36.229.110","23.108.190.249","38.180.230.79","45.11.230.155","38.180.146.230","38.180.146.178","38.180.91.2","2.58.200.80","193.200.17.162","38.180.146.193","45.134.111.126","38.180.5.60","149.28.9.18","45.80.193.9","104.238.60.216","151.236.16.220","141.195.117.127","45.41.187.233","84.32.188.153","158.255.213.168","38.180.110.238","192.121.23.126","103.144.139.73","166.0.187.241","142.91.38.80","93.188.163.16","45.134.110.55","149.154.158.205","172.86.73.187","151.236.15.134","151.236.16.102","185.76.79.229","162.252.172.59","151.236.16.213","45.141.58.59","95.217.113.133","84.32.188.200","141.195.117.125","185.76.79.233","166.0.187.240","185.100.234.105","46.249.38.131","178.239.171.41","45.134.110.83","81.17.31.106","45.11.231.8","46.30.189.62","185.187.155.79","166.0.187.236","2.58.203.61","45.11.230.111","109.205.214.50","190.211.254.32","104.225.129.128","109.205.214.52","188.214.33.222","93.188.164.74","23.160.56.105","45.11.231.9","23.227.194.189","82.180.139.47","23.160.56.110","45.11.230.60","38.180.83.120","151.236.16.128","185.76.79.140","178.162.203.91","162.252.172.223","151.236.16.98","151.236.16.138","212.1.213.200","38.180.81.168","2.58.200.78","45.67.84.14","162.252.172.158","23.160.56.90","149.154.158.250","185.76.79.190","89.46.234.152","166.0.187.199","23.160.56.123","185.76.79.86","185.76.79.59","149.154.158.63","185.216.72.192","38.180.83.103","89.46.234.93","185.216.72.182","38.180.137.213","151.236.16.245","185.187.155.71","193.29.59.9","135.181.130.232","104.238.57.40","162.252.172.109","185.76.79.53","185.76.79.16","149.154.158.133","38.180.146.29") or srcipaddress IN ("166.0.187.237","162.252.175.233","185.187.155.33","38.180.146.32","192.36.27.226","37.1.196.172","185.187.155.72","2.58.201.27","198.50.106.140","198.50.106.141","38.180.146.210","151.236.16.22","151.236.16.38","158.255.213.192","176.97.70.55","38.180.146.30","158.255.213.49","109.205.214.45","23.160.56.95","5.183.95.240","185.187.155.73","185.172.39.220","172.96.137.125","185.76.79.178","38.180.136.93","13.49.21.253","209.182.225.10","185.216.72.185","2.58.200.79","45.134.110.82","151.236.22.149","95.156.207.121","84.32.188.197","149.154.158.85","158.255.213.185","84.32.188.193","185.76.79.244","179.43.148.82","185.76.79.167","89.46.234.115","45.11.230.144","185.76.79.60","166.0.187.233","166.0.187.245","151.236.16.193","192.36.57.107","158.255.213.154","151.236.16.236","185.172.39.51","38.180.146.216","179.43.163.18","38.180.90.36","194.37.97.189","151.236.16.24","185.216.72.196","146.71.81.13","151.236.14.116","103.144.139.254","23.160.56.100","141.195.117.129","23.160.56.122","162.252.172.155","151.236.16.101","166.0.187.183","23.160.56.115","141.195.117.126","151.236.22.36","84.32.188.148","166.0.187.252","2.58.14.80","185.177.126.225","104.161.58.10","212.1.213.198","45.137.21.10","45.134.110.78","45.11.230.105","185.172.39.52","185.172.39.50","45.137.213.17","185.187.155.78","155.138.238.169","162.216.243.210","178.255.43.30","166.0.187.235","38.180.146.28","46.19.141.186","45.137.21.11","38.180.88.106","185.172.39.230","104.36.229.110","23.108.190.249","38.180.230.79","45.11.230.155","38.180.146.230","38.180.146.178","38.180.91.2","2.58.200.80","193.200.17.162","38.180.146.193","45.134.111.126","38.180.5.60","149.28.9.18","45.80.193.9","104.238.60.216","151.236.16.220","141.195.117.127","45.41.187.233","84.32.188.153","158.255.213.168","38.180.110.238","192.121.23.126","103.144.139.73","166.0.187.241","142.91.38.80","93.188.163.16","45.134.110.55","149.154.158.205","172.86.73.187","151.236.15.134","151.236.16.102","185.76.79.229","162.252.172.59","151.236.16.213","45.141.58.59","95.217.113.133","84.32.188.200","141.195.117.125","185.76.79.233","166.0.187.240","185.100.234.105","46.249.38.131","178.239.171.41","45.134.110.83","81.17.31.106","45.11.231.8","46.30.189.62","185.187.155.79","166.0.187.236","2.58.203.61","45.11.230.111","109.205.214.50","190.211.254.32","104.225.129.128","109.205.214.52","188.214.33.222","93.188.164.74","23.160.56.105","45.11.231.9","23.227.194.189","82.180.139.47","23.160.56.110","45.11.230.60","38.180.83.120","151.236.16.128","185.76.79.140","178.162.203.91","162.252.172.223","151.236.16.98","151.236.16.138","212.1.213.200","38.180.81.168","2.58.200.78","45.67.84.14","162.252.172.158","23.160.56.90","149.154.158.250","185.76.79.190","89.46.234.152","166.0.187.199","23.160.56.123","185.76.79.86","185.76.79.59","149.154.158.63","185.216.72.192","38.180.83.103","89.46.234.93","185.216.72.182","38.180.137.213","151.236.16.245","185.187.155.71","193.29.59.9","135.181.130.232","104.238.57.40","162.252.172.109","185.76.79.53","185.76.79.16","149.154.158.133","38.180.146.29")

    Detection Query 4

    sha256hash IN ("f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8","a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448","ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46","648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6","2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9","1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881","280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0","50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1","8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5","36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542","32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html        


    Tags

    MalwareRDPCyberEspionagePhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.