DomainMediumSignal 83/100

`mil-by.info`

Location

Estonia

First Seen

Apr 25, 2025

Last Seen

Jun 8, 2026

Apr 25

First Seen

415d ago

Jun 8

Last Seen

6d ago

Reports

source reports

83%

Confidence

medium

17/91

VirusTotal

detections

Found in 11 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

83%

Signal Score

83 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

104 techniques

Feed Intelligence Summary

11 reports83% confidence

Source reports

83%

Confidence score

Category tags

a serviceabcdacceptaccessaccountacidrainactive scanad environmentad groupadfindadministratoraes keyafghanistanafricaagentahnlabai evasionai securityaitbalbaniaalbanianalert schemealexaliveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidangry likhoanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt group team46apt group: team46apt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraautoitav evasionavastavosavoslockerawaken likhoazaz09azorultbackbackdoorbackdoor infectionbad rabbitbankbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblack owlblackcatblackshadesblisterblobbluenoroffbo teamboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybreachbridgebrowserbrowser injectionbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 communicationc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filechromecisacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommand executioncommentcommercial bankingcommunication technologiescompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcore werewolfcortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvsscybercyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsdantedante proxydante proxy usagedark cometdarkcometdarkgaboondarkgatedarkhoteldarkshelldarksidedatadata centerdata encryptiondata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense evasiondefraydefray777delphidemodenis legezodesktopdetectdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedgeedr hooksedreppefnoegregoregregor payloadelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploit avaliableexploitation activityexploits & vulnerabilitiesexport functionfailfairy wolffalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefilejustfileless malwarefilesfillerfin7finalfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpfunctiong o2gamacopygap analysisgasgategate variantgaussgeckogeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehive0117honeymytehong konghoody hyenahookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydrahydraulicsicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportin the wildincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinstallintelintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iso fileiso filesystemiso imageissuer cusissuer orgitaliaitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickoreankportscankronoslaterlateral movementlatinlazagnelearnlearn morelegallegezolemon duckleviathanlibrarian ghoulslifelifting zmiylimelinodelinuxlinux systemlnk filelnklnklnklnkloaderloader functionalitylocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslone wolflpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious powershell activitymalicious softwaremalspammalwaremalware descriptionsmalware distributionmalware droppermalware implantmalware technologiesmalware: trinpermalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile carriersmobile networksmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmoonshine trickstermorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermulti-stage droppermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetworknetwork forensicsnevernewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2obfuscation techniquesocean lotusoceanlotusoffensivenimoffice vulnerabilityoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopandapartpasspatchpathpawn stormpayloadpayloadbinpcappdf documentpe headerphasephishingphishing attackphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpoliceponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell executionpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionproduct supplyprojector libraprophetprophet spiderprosperous werewolfprotectproxyproxyshellpseudogamaredonpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarqueryquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiverare werewolfraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissancered team activityredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote accessremoverenamereportreportsrequestresearchresearchedreturn addressrevilrevilcontirezetritarobinhoodrollcoastroom155rootrozenarubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox evasionsandbox reportsapphire werewolfscalescams & fraudscan behavioralscannerscoutscriptscripting attacksseadukeseatbeltsecurexsecurity groupssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyesslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlesticky werewolfstoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystembcsyswhispers2szdrft1003t1003.001t1005t1007t1012t1016t1018t1020t1021t1027t1027.002t1027.009t1036t1036.004t1041t1047t1053t1053.005t1055t1056t1056.001t1057t1059t1059.001t1059.003t1068t1069t1069.001t1070t1070.004t1071t1071.001t1071.002t1078t1078.001t1082t1083t1086t1105t1110t1110.001t1113t1119t1120t1133t1136t1136.001t1140t1176t1189t1190t1195t1195.001t1199t1204t1204.002t1205t1205.001t1210t1213t1218t1218.011t1485t1486t1496t1499.002t1499.003t1543.003t1547t1547.001t1547.009t1553.002t1555t1555.004t1556t1556.001t1562t1562.001t1562.006t1565t1566t1566.001t1566.002t1566.003t1568t1569t1569.002t1573t1573.001t1574t1574.001t1574.002t1588t1588.002t1592t1592.002t1592.004t1608t1608.001t1608.002t1608.004t1614t1614.001t1622ta tolikta471ta551ta578ta800talostargettargeted attackstargetimagetask managertaxofftcp portteamteam46teamt5teamt5 teamt5techtelecomtelecom servicestelecommunicationstemptencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertransferxl urltransferxl urlstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrinpertrojantrojanspytrumptrustttpsturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunusual porturgenturisurlcampourlsurls httpurlshxxpursnifuse sectionuseragent: edgeuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvengeful wolfvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevulnerability scanwaf rulewatch wolfwdigestweb application attackweblogic accesswebshellwerewolveswherewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzero-day exploitzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs

Jun 8Jun 8

Threat Activity Heatmap

· Peak: 2026-06-08

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Intelligence SummaryAI Generated

The domain **mil-by.info**, originating from Estonia, has been identified as a significant indicator of compromise (IOC) associated with multiple cyber threats. First observed on April

Threat ScoreHigh Risk

SIGNAL

Signal Score

83%

Confidence

Reports

First seenApr 25, 2025

Last seenJun 8, 2026

VirusTotal

17/ 91vendors flagged

19% detection rateJun 9, 2026

WHOIS

description: The report outlines a range of targeted phishing campaigns and sophisticated post-exploitation tools employed by various cyber threat actors. Team46 exploited a zero-day vulnerability (CVE-2025-2783) in Chrome through phishing, utilizing decoy documents to discreetly install UltraVNC for access and lateral movement within networks. The Sapphire Werewolf group utilized multi-stage document droppers that bypass sandbox detection, exfiltrating data through Telegram bots, while TA Tolik focused on public-sector data theft. The report highlights a trend of domain impersonation and infrastructure reuse across multiple financially motivated groups, with specific tactics, such as modified LockBit encryption and exploitation of legacy Office vulnerabilities, indicative of the evolving nature of cyber threats. Notably, the increased use of AI-generated code for evading detection was also highlighted.
domain rank: -1
raw: Administrative city: REDACTED FOR PRIVACY Administrative country: REDACTED FOR PRIVACY Administrative state: REDACTED FOR PRIVACY Create date: 2024-08-29 00:00:00 Domain name: mil-by.info Domain registrar id: 1068 Domain registrar url: https://www.namecheap.com/ Expiry date: 2025-08-29 00:00:00 Name server 1: dns1.registrar-servers.com Name server 2: dns2.registrar-servers.com Query time: 2024-08-30 13:06:46 Registrant city: 1f8f4166599d23ee Registrant company: 4b7a0912c26a13e2 Registrant country: Iceland Registrant email: f651612a2f356ad3s@ Registrant fax: 1f8f4166599d23ee Registrant name: 1f8f4166599d23ee Registrant phone: 1f8f4166599d23ee Registrant state: 3e0204199d8ebf9c Registrant zip: 1f8f4166599d23ee Technical city: REDACTED FOR PRIVACY Technical country: REDACTED FOR PRIVACY Technical state: REDACTED FOR PRIVACY Update date: 2024-08-29 00:00:00
references: https://ptsecurity.com/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali, https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/, https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g, https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/, https://blog.talosintelligence.com/manjusaka-offensive-framework/, https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html, https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/, https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html, https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/, https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/, https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/, https://cert.gov.ua/article/703548, https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/, https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824, https://cert.gov.ua/article/619229, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/, https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html, https://blog.talosintelligence.com/avoslocker-new-arsenal/, https://isc.sans.edu/diary/rss/28752, https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/, https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions, https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis, https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee, https://thehackernews.com/2022/05/malware-analysis-trickbot.html, https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux, https://asec.ahnlab.com/en/34549/, https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664, https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md, https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf, https://isc.sans.edu/diary/28636, https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/, https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html, https://blog.talosintelligence.com/mustang-panda-targets-europe/, https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/, https://security.macnica.co.jp/blog/2022/05/iso.html, https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/, https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt, https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf, https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/, https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/, https://thedfirreport.com/2022/04/25/quantum-ransomware/, https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/, https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html, https://www.varonis.com/blog/hive-ransomware-analysis, https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/, https://vanmieghem.io/blueprint-for-evading-edr-in-2022/, https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/, https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html, https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI, https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/, https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/, https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64, https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf, https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire, https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/, https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448, https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/, https://www.arashparsa.com/catching-a-malware-with-no-name/, https://cert.gov.ua/article/37704, https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/, https://thedfirreport.com/2022/03/07/2021-year-in-review/, https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/, https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage, https://cyber.wtf/2022/03/23/what-the-packer/, https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes, https://asec.ahnlab.com/en/31811/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/, https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489, https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike, https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/, https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/, https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue, https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/, https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/, https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html, https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks, https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/, https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1, https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/, https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/, https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/, https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf, https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf, https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/, https://istrosec.com/blog/apt-sk-cobalt/, https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/, https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/, https://securelist.com/apt-luminousmoth/103332/, https://isc.sans.edu/diary/rss/27618, https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads, https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass, https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/, https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/, https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/, https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise, https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/, https://www.cisa.gov/news-events/analysis-reports/ar21-148a, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a, https://www.lac.co.jp/lacwatch/report/20210521_002618.html, https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf, https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/, https://thedfirreport.com/2021/05/12/conti-ransomware/, https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/, https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/, https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/, https://blog.talosintelligence.com/lemon-duck-spreads-wings/, https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/, https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff, https://isc.sans.edu/diary/27308, https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c, https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures, https://www.qurium.org/alerts/targeted-malware-against-crph/, https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware, https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811, https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout, https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/, https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md, https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060, https://thedfirreport.com/2021/01/31/bazar-no-ryuk/, https://www.security.com/threat-intelligence/solarwinds-raindrop-malware, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618, https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html, https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/, https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/, https://isc.sans.edu/diary/rss/26862, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf, https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware, https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/, https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/, https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/, https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/, https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md, https://thedfirreport.com/2020/10/08/ryuks-return/, https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/, https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/, https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf, https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos, https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/, https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims, https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/, https://blog.talosintelligence.com/building-bypass-with-msbuild/, https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html, https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf, https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A, https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html, https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf, https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/, https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf, https://contagiodump.blogspot.com/2014/11/onionduke-samples.html, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/, https://ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/kvartalnyj-otchet-iyun-2025/, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali/?_hsenc=p2ANqtz--dZoQqZwl9URkLYwlT9Nf0Ra3lXAQZuYzg337cuSaLG3grEkyl6INyF53yPOWQgzRHBpGu5tr0CEgR4YV8Wo36jhRYURiM71H5cuQKoAfWf4ONzsw&_hsmi=357798796#id11
subdomains count: 0

`mil-by.info`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy