{ "id": "849b2fc6-32c0-4a7b-bcda-d5cb9e64f769", "created_at": "2026-04-06T00:13:24.221484Z", "updated_at": "2026-04-10T03:25:35.717161Z", "deleted_at": null, "sha1_hash": "231bd20dd9f470e63459ec19332e7797a09d86f8", "title": "GitHub - infinitumitlabs/Karakurt-Hacking-Team-CTI: IOC Data Obtained From Karakurt Hacking Team's Internal Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 469262, "plain_text": "GitHub - infinitumitlabs/Karakurt-Hacking-Team-CTI: IOC Data\r\nObtained From Karakurt Hacking Team's Internal Infrastructure\r\nBy seraysaglam\r\nArchived: 2026-04-05 13:38:13 UTC\r\nKarakurt Hacking Team Indicators of Compromise (IOC)\r\nThese IOCs were released as part of CTI team research by Infinitum IT. The full report is available here\r\nOne of the most valuable pieces of threat intelligence we discovered during this CTI investigation was the the IP address\r\nof the data storage and Command and Control Servers used by Karakurt / Conti.\r\nDomain IP\r\nkarakurt.co 209.222.98.19\r\nstok-061153.stokermate.com 104.238.61.153\r\nReal IP Address of Onion site used by Karakurt Hacking Team as a public leak page\r\nOnion site IP\r\nlhxxtrqraokn63f3nubhbjrzxkrgduq3qogp3yr424tkpvh3z7n4kcyd.onion 104.243.34.214\r\nKarakurt Leak Site\r\nhttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI\r\nPage 1 of 4\n\nFollowing table contains the authentication logs of the subject Karakurt servers with IP 209.222.98.19 and\r\n104.238.61.153\r\nDetected TCP Connections on Karakurt Servers\r\n45.8.119.60\r\n212.220.115.145\r\n5.45.83.32\r\n31.14.40.64\r\n95.170.133.54\r\n1.116.139.11\r\n45.141.84.126\r\n185.5.251.35\r\n49.232.93.149\r\nhttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI\r\nPage 2 of 4\n\nDetected TCP Connections on Karakurt Servers\r\n61.177.173.17\r\n80.93.19.227\r\n139.219.4.103\r\n61.19.125.2\r\n159.65.140.76\r\n23.99.177.202\r\n109.169.14.109\r\n104.243.34.214\r\n37.252.0.143\r\n46.166.143.114\r\nDurring our CTI research on Karakurt / Conti Servers we are able to identify the use of SOCKS proxy pivoting technique\r\nwith a open source tool called Ligolo-ng against multiple victims.\r\nFollowing table contains the Ligolo-ng Agent and Command and Control Server used by Karakurt Hacking Team\r\nMembers\r\nLigolo-ng Agent and Command and Control Servers\r\n104.194.9.238/download/lig.ext\r\n104.194.9.238:455/download/lig2.ext\r\n104.238.61.153\r\nSource Code of Data Leak Page Used by Karakurt Threat Group [ Update - Published ]\r\nWhen we connected to the Karakurt Blog Web Server, we saw that all of the stolen data had been categorized by a\r\nSoftware that was being developed by Karakurt members.\r\nhttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI\r\nPage 3 of 4\n\nCobalt Strike Server and Malware Samples [Update - Published]\r\nThis data has been obtanied from an Encrypted ZIP folder inside Karakurt C2 Server\r\nIP Domian Name\r\n108.177.235.127 kisizo[.]com\r\nVT Link\r\nhttps://www.virustotal.com/gui/file/b7ae3b6f2c04a8d05478509b5047bf50bd880d32125923f093b2ea65fe48fac1/relations\r\nhttps://www.virustotal.com/gui/file/8cfdb99185fba9abd91d915425826ca9c6ce360fe68f4c8430c358ceab0acf24/relations\r\nSource: https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI\r\nhttps://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI" ], "report_names": [ "Karakurt-Hacking-Team-CTI" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434404, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/231bd20dd9f470e63459ec19332e7797a09d86f8.pdf", "text": "https://archive.orkl.eu/231bd20dd9f470e63459ec19332e7797a09d86f8.txt", "img": "https://archive.orkl.eu/231bd20dd9f470e63459ec19332e7797a09d86f8.jpg" } }