Campaigns
Hoodoo Uses Google C2 Red Team Tool as Payload

Hoodoo Uses Google C2 Red Team Tool as Payload

HoodooAPT41BariumBronze AtlasWicked PandaWinnti
In a strategy change, China-linked APT41 targeted a Taiwanese media outlet and an Italian employment agency with standard, open-source penetration testing tools. The Chinese state-sponsored hacking organization APT 41, also known as HOODOO, targets various industries in the US, Asia, and Europe.

Indicators of Compromise

javaupdate.biguserup.workers.dev
mute-pond-371d.zalocdn.workers.dev
vietsovspeedtest.com
ns.time12.cf
updata.microsoft-api.workers.dev
c.ymvh8w5.xyz
panel.956956.info
newimages.socialpt2021.tk
microsoftfile.com
east.winsproxy.com
hdfllmkinoshka.online
down-flash.com
cdn.ns.time12.cf
gentle-voice-65e3.bsnl.workers.dev
www.affice366.com
www.vietsovspeedtest.com
ysoserial.net
delaylink.tk
heathyork.com
111111.note.down-flash.com
fofa.su
cryptojavaden.com
security.hiv
libxqagv.ns.dns3.cf
affice366.com
system.hiv
socialpt2021.club
ios.0pengl.com
mianbeiankj.com
update.qqantivirus.com
my.pal.violet.la
ftp.eggagent.info
zx.3389.hk
m.unitys3d.com
asmc.best
exchange.dumb1.com
lin.0pengl.com
bowenpress.org
www.find-iphone7-icloud.com
news.eggdomain.net
mail.ipv6.la
subnet.milli-seconds.com
senvmeitu.com
ns.cloud20.tk
yang.0pendns.org
wlbsctrl.ax
freak.pictures
bafangqudao.com
bot.jjevil.com
toa.mygametoa.com
nss.aresgame.info
naotengml.xyz
update.fengzigame.net
extrsports.ru
toya.co.kr
cloud.amd-support.com
kp.css2.com
applevswin.com
ftp.appaffect.com
tob.mygametob.com
channel-w.in
ftp.ssrsec.com
ui.threatstream.com
wsus.kasperskyantivirus.net
job.yoyakuweb.technology
tjglmy.com
sekarang.waktunya.pake.ipv6.red
by.dns-syn.com
be.loved.tokyo
minami.cc
percuma.berteman.sama.newbie.red
peq.parakaro.co.jp
ns1.dellassist.com
bot.fengzigame.net
account.outlook-s.com
ftp.newbie.red
www.find-iphone-idicloud.com
www.mlcrosoft.site
like.violet.la
w.cocoss2d.com
ftp.ipv6.red
alienlol.com
www.5tua.com
katanya.rame.yah.di.channel.violet.la
mail.openncheckmail.com
godaddydns.com
using.ipv6.la
ns1.extrsports.ru
bakercost.gq
shiyuesun.com
mail.lycostal.com
jj.fbi123.com
war.winxps.com
i.loved.tokyo
chaindefend.bid
zx.css2.com
mb.glbaitech.com
ftp.loved.tokyo
www.ttidc.net
secret.whoami.la
linux.unitys3d.com
google.vrthcobj.com
bowenpress.net
bot.ibmsupport.net
www.laoa8.com
bot.godaddydns.net
www.xiangyunhulian.com
diamond.violet.la
address.ipv6.la
letwiki.com
fk.duola123.com
www.eggdns.com
bot.fbi123.com
bowenpross.com
loving.and.being.loved.tokyo
atliassian.com
work.time12.cf
ipv4.ipv6.la
2bc1b4ba.ns1.mssetting.com
holdmem.dbhubspi.com
www.twitterproxy.com
google.diragame.com
update.0pengl.com
doyan.party
dns.0pengl.com
www.hyper.parakaro.co.jp
mircoupdate.https443.net
packet.ipv6.la
vpsgys.com
find-iphone-icloudids.com
rosemarry.asia
sdfsd.iphone-android-mobile.com
ns.glbaitech.com
www.tqvps.com
news.0pengl.com
ns1.summerpract.biz
intelrescue.com
mail.winxps.com
trojan.win64.manuscrypt.do
openmd5.com
account.micrrosoftsonline.com
sc.0pengl.com
jom.diregame.live
chinadagitaltimes.net
m.css2.com
www.chongzhonglaw.com
work.viewdns.ml
user.xiangyunvps.net
tibetonline.info
mzx.jjevil.com
hijack.css2.com
33604.intra.applestunes.com
ns1.amd-support.com
root.godaddydns.net
tyuweb.com
69f319a6-10c4-4792-9caf-ec3b3c4b5314.winxps.com
free.amd-support.com
ns1.freeemails.shop
gzw.3389.hk
cisco.ipv6.la
ti.vengo.sul.perizoma.ipv6.la
find-iphone-icloudss.com
sale.ibmsupport.cc
mail.whoami.la
find-iphone-icloudcn.com
dns.godaddydns.net
blog.cobaltstrike.com
cloud01.tk
cycraft.com
smtp.iphone-android-mobile.com
find-iphone-iclouds.com
css.google-statics.com
sky.violet.la
linux.cocoss2d.com
next.parakaro.co.jp
hyper.parakaro.co.jp
ls.0pendns.org
macos.exoticlol.com
blessed.loved.tokyo
tictac.gr
up.roboscan.net
teng123.top
jj.aresgame.info
dark.anonshell.com
tasty-invention.auto.playit.gg
64.3389.hk
ns2.0pendns.org
happy.bless.christmas
didin.asia
cloud.dellassist.com
no.ip.detect.if.using.ipv6.la
update.css2.com
work.cloud01.tk
silent.whoami.la
war.eatuo.com
mlcrosoft.site
work.queryip.cf
airsportschina.net
11116.intra.applestunes.com
test.dellassist.com
work.dnsfree.ml
newsite.parakaro.co.jp
bak.timewalk.me
ftp.parakaro.co.jp
huanjue123.zs.guizuidc.com
nobody.will.know.whoami.la
www.xiangyunvps.net
email.yg9.me
accounts.google-caches.com
bot.itunesupdate.net
ad1.winxps.com
war.geekgalaxy.com
mail.newbie.red
zx.duola123.com
naoteng.top
account.microsoftssonline.com
shijihulian.com
www.kuaiwenwang.com
gadget.newbie.red
images.iphone-android-mobile.com
rk.mtrue.com
corpsolution.net
pure.newbie.red
down.fengzigame.net
summerpract.biz
mail.violet.la
on-line.connection.violet.la
24893cb6.ns1.extrsports.ru
115game.com
m.necemarket.com
bot.360antivirus.org
top106.top
app.appaffect.com
26707.intra.applestunes.com
rus.css2.com
ertiga.org
cute.devil.tokyo
cloud.0pendns.org
aboluewang.com
mail.gistal.com
home.ibmsupports.com
mail.loved.tokyo
xops.violet.la
resume.immigrantlol.com
rk.mtrue.net
freesss.net
work.getdns.tk
ssl.0penssl.com
dnslog.mobi
help.0pengl.com
www.iantivirus.us
office.parakaro.co.jp
cloud20.tk
mail.devil.tokyo
zalofilescdn.com
war.webok.net
colour.of.girls.is.violet.la
update.360antivirus.net
ns8.0pendns.org
freeemails.shop
ludicrous.lol
jj.duola123.com
huhaifan.com
user.xiangyunvps.com
waw.unitys3d.com
dns.eggdomain.net
ns9.amd-support.com
uhh.yeah.whoami.la
support.godaddydns.net
mail.iphone-android-mobile.com
360.0pengl.com
awsprocduction.immigrantlol.com
sunnykkf.xyz
joy.full.bless.christmas
ns9.nokiadns.com
ssl.0pengl.com
ultra.violet.la
vps2java.securitytactics.com
sc.0penssl.com
assistcustody.xyz
defendchain.xyz
ftp.winter.tokyo
work.cloud20.tk
waw.css2.com
ns1.appledai1y.com
blog.unitys3d.com
bot.eggdomain.net
www.microsoftbooks.dns-dns.com
linux.css2.com
mail.ipv6.red
enjoy.and.loved.tokyo
mail.nteng.xyz
task.dns-syn.com
awsstatics.com
www.microsofthelp.dns1.us
just.a.newbie.red
mail.multicons.net
blog.reconinfosec.com
bot.duola123.com
24287.intra.applestunes.com
new.dns-syn.com
ns1.nokiadns.com
bot.1songjiang.info
accounts.google-acc.com
hidden.ipv6.red
anonymous.ipv6.red
tosayoj.com
www.xunsuhulian.com
ftp.devil.tokyo
waw.cocoss2d.com
mail.bless.christmas
sc.dns-syn.com
xgyun.vip
dns.360antivirus.org
baidusecurity.net
find-iphoneid-itunes.com
d.diragame.com
ns1.sunnykkf.xyz
mssetting.com
update.nortonantivir.us
ns1.0pendns.org
ns.mircosoftdoc.com
support.godaddydns.cc
datalink.one
www.duoxiantong.com
sc.dellrescue.com
www.xiangyunvps.com
st.kinopoisksu.com
lin.0penssl.com
isbigfish.xyz
irc.devil.tokyo
udp.jjevil.com
dev.kinopoisksu.com
psycho.red
udp.timewalk.me
schememicrosoft.com
mircosoftdoc.com
mxmail.esmtp.biz
dev.yuanta.dev
js.down-flash.com
pridecdn.com
www.xindex.ocry.com
x.xxe.pw
economics.onemore1m.com
update.ankining.com
spoof.zip
ns2.colunm.tk
ns1.colunm.tk
lezone.jetos.com
www.astudycarsceu.net
googlewizard.ocry.com
bswan.authorizeddns.org
trendiis.sixth.biz
www.hosenw.ns02.info
depth.toh.info
www.uacmoscow.com
www.nthere.ourhobby.com
symantecupd.com
q.xxe.pw
hotmail.pop-corps.com
escanavupdate.club
paniesx.com
linux.down-flash.com
account.heatidc.com
mm.portomnail.com
www.gkonsultan.mrslove.com
gold.bigmoney.biz
www.komdsecko.net
update.upgradsource.com
b.gnisoft.com
jquery-cycle.com
ns1.xxe.pw
update.flash-installers.com
pracute.camdvr.org
ptciocl.com
down.xxe.pw
cdn3.cloudf1are.com
adobe-cdn.org
apisquere.com
d89o0gm35t.livehost.live
ns2.xxe.pw
www.indiasunsung.com
updateinfo.kozow.com
dropbox.dns2.us
xx0xx.dnset.com
indrails.com
dns-c.ahnlabin.com
my.kankuedu.org
ns3.mlcrosoft.site
arjuna.dynamicdns.biz
newpic.sexxxy.biz
www.data-yuzefuji.com
livehost.live
ussainc.org
www.ertufg.com
jquery-code.ml
ias.goog1eweb.com
www.linuxupdate.info
rawfuns.com
cdn2.cloudf1are.com
ns2.dns-dropbox.com
7hln9yr3y6.symantecupd.com
filename.onedumb.com
describe.toh.info
gaiusjuliuscaesar.dynamicdns.biz
hostingupdate.club
quicdn.com
dprouds.casacam.net
techniciantext.com
agent.my-homeip.net
xvideo.mrslove.com
proxy.xxe.pw
back.rooter.tk
down1.linuxupdate.info
money.moneyhome.biz
www.pneword.net
www.npomail.ocry.com
ssl2.ahnlabinc.com
yolkish.com
ns.mircosoftbox.com
npomail.ocry.com
fornex.uacmoscow.com
koran.junlper.com
www.ibarakidoji.mrbasic.com
ns.rtechs.org
images.h1x.com
exchange.openmd5.com
wwwss.mrbasic.com
doc.goog1eweb.com
xx0ssd.isasecret.com
ntripoli.www1.biz
www.cloudvn.info
www.microsoft-update.pop-corps.com
secupdate.kozow.com
sidc.everywebsite.us
help.git1ab.com
files.zip
www.microsoftcontents.com
lmgur.me
www.smartdevoe.com
microsoft-update.pop-corps.com
officecdn-microsoft-com.akamaixed.net
help.down-flash.com
myflbook.myz.info
us.securitycloud-symantec.icu
b-metric.com
giga.gnisoft.com
freemusic.xxuz.com
www.googlewizard.ocry.com
zeplin.law
gkonsultan.mrslove.com
ns1.dns-dropbox.com
n2.xxe.pw
goods.kankuedu.org
forums.tripmerry.com
nfdkjbfwjakd.ml
update.flash-installer.com
cigy2jft92.kasprsky.info
linuxupdate.info
nadvocacy.mrbasic.com
videoservice.dnset.com
mirros3.linuxupdate.info
tcplog.com
cloudf1are.com
rootkiter.com
notped.com
ssm.awszonwork.com
cpanel.htecnews.net
q2.xxe.pw
ankining.com
waswides.isasecret.com
info.kavalabonline.com
d89o0gm34t.livehost.live
daum.xxuz.com
apienclave.com
a.linuxupdate.info
snoc.hostingupdate.club
yuanta.dev
ecoronavirus.almostmy.com
nted.tg9f6zwkx.icu
www.arjuna.dynamicdns.biz
micsoftin.us
static.tcplog.com
cs.colunm.tk
l1nkedin.ns01.biz
pandorarve.com
dnsdhcp.dhcp.biz
git1ab.com
clients.cleansite.info
dl-flash.tk
microsoftcontents.com
high.micorsoff.com
mn.pop-corps.com
ns2.microsoftsonline.net
dgbyem.com
chinanode.microsoft-update-service.com
update.facebookdocs.com
vb.xxuz.com
indialifeshop.com
www.averyspace.net
qq.xxe.pw
jsj1.linuxupdate.info
down2.linuxupdate.info
www.comcleanner.info
download.google-images.ml
xindex.ocry.com
static.adobe-cdn.org
stock.awszonwork.com
host.adobe-online.com
facegooglebook.mrbasic.com
akamaixed.net
6q4qp9trwi.dnslookup.services
backup.myftp.info
xxe.linuxupdate.info
dns.xxe.pw
inthefa.bigmoney.biz
mail.xxe.pw
websencl.com
flash.com.se
vt.livehost.live
news.tibetonline.info
www.operatingbox.com
help.tcplog.com
google-images.ml
ixrails.com
lab.symantecsafe.org
flashi.com.cn
info.kavlabonline.com
db311secsd.kasprsky.info
chrome.down-flash.com
www.inthefa.bigmoney.biz
dnsgogle.com
cat.moneyhome.biz
phonebook.casacam.net
trojan.win32.cobeacon.bg
ad.lflink.com
www.facegooglebook.mrbasic.com
cdn.cloudf1are.com
wntc.livehost.live
dash.tcplog.com
ggpage.jetos.com
cdn4.cloudf1are.com
ssl.ahnlabinc.com
ntpc-co.com
securitycloud-symantec.icu
exat.dnset.com
microsoft.update.flash.com.se
update.pop-corps.com
ubuntumax.com
www.git1ab.com
vsmrcil.casacam.net
flash.co.cm
letstweet.toh.info
yandex.pop-corps.com
cdn.google-au.ga
data-yuzefuji.com
update.ilastname.com
deadsec.tw
colunm.tk
soft.mssysinfo.xyz
q4.xxe.pw
developman.ocry.com
update.mypop3.org
help.kavlabonline.com
fonts.google-au.ga
www.oseupdate.dns-dns.com
www.yandex.pop-corps.com
www.wizardprocessor.com
about.git1ab.com
www.ncdle.net
svn-dns.ahnlabinc.com
hccadkml89.dnslookup.services
ns1.mssetting.com
mirros.microsoftcontents.com
www.nmbthg.com
test.yuanta.dev
ordercheck.online
0x3s.com
exchange.portomnail.com
service.dns22.ml
www.shipcardonlinehelp.com
gmarket.system-ns.org
video.rtechs.org
hpcloud.dynserv.org
www.mircoupdate.https443.net
ns.cloud01.tk
xxe.pw
hosenw.ns02.info
www.corpsolution.net
www.ggpage.jetos.com
www.daum.xxuz.com
box.xxe.pw
dns.cloudf1are.com
locker.camdvr.org
daum.pop-corps.com
awszonwork.com
ns.upgradsource.com
6czumi0fbg.symantecupd.com
dns2.cloudf1are.com
abegelkunic.com
ns1.microsoftsonline.net
flash.com.cm
dns224.com
ibarakidoji.mrbasic.com
hardenvscurry.my-router.de
excharge.sexxxy.biz

APT Groups1

AxiomChina
Bronze OliveAxiomWicked PandaAPT 22Group 72Wicked SpiderBronze ExportWinnti Group

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
Phishing emails can be prevented by using email gateways that filter phishing emails from reaching the destination. Other methods include:
  • Teaching the employees about email security
  • Updating the software now and then.
  • Getting updates about everyday Cyber Security news from sites like SOCRadar
  • Conducting frequent security audits(at least twice a year) will help in securing the weakest link.

Reports & References2

Observed Countries22

BD (808)
BE (438)
BN (694)
CH (761)
CN (297)
DE (32)
FR (409)
GB (558)
HK (587)
ID (280)
IE (860)
IN (199)
JP (543)
MM (649)
MN (323)
NL (664)
SG (873)
TH (104)
TR (526)
TW (154)
US (715)
ZA (701)