{ "id": "8f59d834-a759-427d-b994-96f9842e7a66", "created_at": "2026-04-06T00:12:07.373927Z", "updated_at": "2026-04-10T03:25:23.117875Z", "deleted_at": null, "sha1_hash": "36a5bc14bf420261a55ffa6c3422bf0d26e32e1f", "title": "Deflect Labs Report #6: Phishing and Web Attacks Targeting Uzbek Human Right Activists and Independent Media - eQualitie", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1043847, "plain_text": "Deflect Labs Report #6: Phishing and Web Attacks Targeting Uzbek\r\nHuman Right Activists and Independent Media - eQualitie\r\nBy Etienne\r\nPublished: 2019-05-09 · Archived: 2026-04-02 12:09:04 UTC\r\nKey Findings\r\nWe’ve discovered infrastructure used to launch and coordinate attacks targeting independent media and human rights\r\nactivists from Uzbekistan\r\nThe campaign has been active since early 2016, using web and phishing attacks to suppress and exploit their targets\r\nWe have no evidence of who is behind this campaign but the target list points to a new threat actor targeting Uzbek\r\nactivists and media\r\nIntroduction\r\nThe Deflect project was created to protect civil society websites from web attacks, following the publication of “Distributed\r\nDenial of Service Attacks Against Independent Media and Human Rights Sites report by the Berkman Center for Internet \u0026\r\nSociety. During that time we’ve investigated many DDoS attacks leading to the publication of several reports.\r\nThe attacks leading to the publication of this report quickly stood out from the daily onslaught of malicious traffic on\r\nDeflect, at first because they were using professional vulnerability scanning tools like Acunetix. The moment we discovered\r\nthat the origin server of these scans was also hosting fake gmail domains, it became evident that something bigger was going\r\non here.\r\nIn this report, we describe all the pieces put together about this campaign, with the hope to contribute to public knowledge\r\nabout the methods and impact of such attacks against civil society.\r\nContext : Human Rights and Surveillance in Uzbekistan\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 1 of 10\n\nEmblem of Uzbekistan (wikipedia)\r\nUzbekistan is defined by many human-rights organizations as an authoritarian state, that has known strong repression of\r\ncivil society. Since the collapse of the Soviet Union, two presidents have presided over a system that institutionalized \r\ntorture and repressed freedom of expression, as documented over the years by Human Rights Watch, Amnesty International\r\nand Front Line Defenders, among many others. Repression extended to media and human rights activists in particular, many\r\nof whom had to leave the country and continue their work in diaspora.\r\nUzbekistan was one of the first to establish a pervasive Internet censorship infrastructure, blocking access to media and\r\nhuman rights websites. Hacking Team servers in Uzbekistan were identified as early as 2014 by the Citizen Lab. It was later\r\nconfirmed that Uzbek National Security Service (SNB) were among the customers of Hacking Team solutions from leaked\r\nHacking Team emails. A Privacy International report from 2015 describes the installation in Uzbekistan of several\r\nmonitoring centers with mass surveillance capabilities provided by the Israeli branch of the US-based company Verint\r\nSystems and by the Israel-based company NICE Systems. A 2007 Amnesty International report entitled ‘We will find you\r\nanywhere’ gives more context on the utilisation of these capabilities, describing digital surveillance and targeted attacks\r\nagainst Uzbek journalists and human-right activists. Among other cases, it describes the unfortunate events behind the\r\nclosure of uznews.net – an independent media website established by Galima Bukharbaeva in 2005 following the Andijan\r\nmassacre. In 2014, she discovered that her email account had been hacked and information about the organization, including\r\nnames and personal details journalists in Uzbekistan was published online. Galima is now the editor of Centre1, a Deflect\r\nclient and one of the targets of this investigation.\r\nA New Phishing and Web Attack Campaign\r\nOn the 16th of November 2018, we identified a large attack against several websites protected by Deflect. This attack used\r\nseveral professional security audit tools like NetSparker and WPScan to scan the websites eltuz.com and centre1.com.\r\nPeak of traffic during the attack (16th of November 2018)\r\nThis attack was coming from the IP address 51.15.94.245 (AS12876 – Online AS but an IP range dedicated to Scaleway\r\nservers). By looking at older traffic from this same IP address, we found several cases of attacks on other Deflect protected\r\nwebsites, but we also found domains mimicking google and gmail domains hosted on this IP address, like\r\nauth.login.google.email-service[.]host or auth.login.googlemail.com.mail-auth[.]top . We looked into passive\r\nDNS databases (using the PassiveTotal Community Edition and other tools like RobTex) and crossed that information with\r\nattacks seen on Deflect protected websites with logging enabled. We uncovered a large campaign combining web and\r\nphishing attacks against media and activists. We found the first evidence of activity from this group in February 2016,\r\nand the first evidence of attacks in December 2017.\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 2 of 10\n\nThe list of Deflect protected websites chosen by this campaign, may give some context to the motivation behind them. Four\r\nwebsites were targeted:\r\nFergana News is a leading independent Russian \u0026 Uzbek language news website covering Central Asian countries\r\nEltuz is an independent Uzbek online media\r\nCentre1 is an independent media organization covering news in Central Asia\r\nPalestine Chronicle is a non-profit organization working on human-rights issues in Palestine\r\nThree of these targets are prominent media focusing on Uzbekistan. We have been in contact with their editors and several\r\nother Uzbek activists to see if they had received phishing emails as part of this campaign. Some of them were able to\r\nconfirm receiving such messages and forwarded them to us. Reaching out further afield we were able to get confirmations of\r\nphishing attacks from other prominent Uzbek activists who were not linked websites protected by Deflect.\r\nPalestine Chronicle seems to be an outlier in this group of media websites focusing on Uzbekistan. We don’t have a clear\r\nhypothesis about why this website was targeted.\r\nA year of web attacks against civil society\r\nThrough passive DNS, we identified three IPs used by the attackers in this operation :\r\n46.45.137.74 was used in 2016 and 2017 (timeline is not clear, Istanbul DC, AS197328)\r\n139.60.163.29 was used between October 2017 and August 2018 (HostKey, AS395839)\r\n51.15.94.245 was used between September 2018 and February 2019 (Scaleway, AS12876)\r\nWe have identified 15 attacks from the IPs 139.60.163.29 and 51.15.94.245 since December 2017 on Deflect protected\r\nwebsites:\r\nDate IP Target Tools used\r\n2017/12/17 139.60.163.29 eltuz.com WPScan\r\n2018/04/12 139.60.163.29 eltuz.com Acunetix\r\n2018/09/15 51.15.94.245\r\nwww.palestinechronicle.com eltuz.com www.fergana.info\r\nand uzbek.fergananews.com\r\nAcunetix and\r\nWebCruiser\r\n2018/09/16 51.15.94.245 www.fergana.info Acunetix\r\n2018/09/17 51.15.94.245 www.fergana.info Acunetix\r\n2018/09/18 51.15.94.245 www.fergana.info\r\nNetSparker and\r\nAcunetix\r\n2018/09/19 51.15.94.245 eltuz.com NetSparker\r\n2018/09/20 51.15.94.245 www.fergana.info Acunetix\r\n2018/09/21 51.15.94.245 www.fergana.info Acunetix\r\n2018/10/08 51.15.94.245\r\neltuz.com, www.fergananews.com and\r\nnews.fergananews.com\r\nUnknown\r\n2018/11/16 51.15.94.245 eltuz.com, centre1.com and en.eltuz.com\r\nNetSparker and\r\nWPScan\r\n2019/01/18 51.15.94.245 eltuz.com WPScan\r\n2019/01/19 51.15.94.245 fergana.info www.fergana.info and fergana.agency Unknown\r\n2019/01/30 51.15.94.245 eltuz.com and en.eltuz.com Unknown\r\n2019/02/05 51.15.94.245 fergana.info Acunetix\r\nBesides classic open-source tools like WPScan, these attacks show the utilization of a wide range of commercial security\r\naudit tools, like NetSparker or Acunetix. Acunetix offers a trial version that may have been used here, NetSparker does not,\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 3 of 10\n\nshowing that the operators may have a consistent budget (standard offer is $4995 / year, a cracked version may have been\r\nused).\r\nIt is also surprising to see so many different tools coming from a single server, as many of them require a Graphical User\r\nInterface. When we scanned the IP 51.15.94.245, we discovered that it hosted a Squid proxy on port 3128, we think that this\r\nproxy was used to relay traffic from the origin operator computer.\r\nExtract of nmap scan of 51.15.94.245 in December 2018 :\r\n3128/tcp open http-proxy Squid http proxy 3.5.23\r\n|_http-server-header: squid/3.5.23\r\n|_http-title: ERROR: The requested URL could not be retrieved\r\nA large phishing campaign\r\nAfter discovering a long list of domains made to resemble popular email providers, we suspected that the operators were\r\nalso involved in a phishing campaign. We contacted owners of targeted websites, along with several Uzbek human right\r\nactivists and gathered 14 different phishing emails targeting two activists between March 2018 and February 2019 :\r\nDate Sender Subject Link\r\n12th of\r\nMarch\r\n2018\r\ng.corp.sender[@]gmail.com\r\nУ Вас 2 недоставленное\r\nсообщение (You have 2\r\nundelivered message)\r\nhttp://mail.gmal.con.my-id[.]top/\r\n13th of\r\nJune\r\n2018\r\nservice.deamon2018[@]gmail.com\r\nПрекращение\r\nпредоставления доступа к\r\nсервису (Termination of\r\naccess to the service)\r\nhttp://e.mail.gmall.con.my-id[.]top/\r\n18th of\r\nJune\r\n2018\r\nid.warning.users[@]gmail.com\r\nВаш новый адрес в Gmail:\r\nalexis.usa@gmail.com (Your\r\nnew email address in Gmail:\r\nalexis.usa@gmail.com)\r\nhttp://e.mail.users.emall.com[.]my-id.top/\r\n10th of\r\nJuly\r\n2018\r\nid.warning.daemons[@]gmail.com\r\nПрекращение\r\nпредоставления доступа к\r\nсервису (Termination of\r\naccess to the service)\r\nhxxp://gmallls.con-537d7.my-id[.]top/\r\n10th of\r\nJuly\r\n2018\r\nid.warning.daemons[@]gmail.com\r\nПрекращение\r\nпредоставления доступа к\r\nсервису (Termination of\r\naccess to the service)\r\nhttp://gmallls.con-4f137.my-id[.]top/\r\n18th of\r\nJuly\r\n2018\r\nservice.deamon2018[@]gmail.com\r\n[Ticket#2011031810000512]\r\n– 3 undelivered messages\r\nhttp://login-auth-goglemail-com-7c94e3a1597325b849e26a0b45f0f068.my-id[.]top/\r\n2nd of\r\nAugust\r\n2018\r\nid.warning.daemon.service[@]gmail.com\r\n[Important Reminder]\r\nReview your data retention\r\nsettings\r\nNone\r\n16th of\r\nOctober\r\n2018\r\nlolapup.75[@]gmail.com\r\nЭкс-хоким Ташкента (Ex-hokim of Tashkent)http://office-online-sessions-3959c138e8b8078e683849795e156f98.email-service\r\n23rd of\r\nOctober\r\n2018\r\nnoreply.user.info.id[@]gmail.com\r\nВаш аккаунт будет\r\nзаблокировано (Your\r\naccount will be blocked.)\r\nhttp://gmail-accounts-cb66d53c8c9c1b7c622d915322804cdf.email-service\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 4 of 10\n\n25th of\r\nOctober\r\n2018\r\nwarning.service.suspended[@]gmail.com\r\nВаш аккаунт будет\r\nзаблокировано. (Your\r\naccount will be blocked.)\r\nhttp://gmail-accounts-bb6f2dfcec87551e99f9cf331c990617.email-service\r\n18th of\r\nFebruary\r\n2019\r\nservice.users.blocked[@]gmail.com\r\nВажное оповещение\r\nсистемы безопасности\r\n(Important Security Alert)\r\nhttp://id-accounts-blocked-ac5a75e4c0a77cc16fe90cddc01c2499.myconnection\r\n18th of\r\nFebruary\r\n2019\r\nmail.suspend.service[@]gmail.com\r\nОповещения системы\r\nбезопасности (Security\r\nAlerts)\r\nhttp://id-accounts-blocked-326e88561ded6371be008af61bf9594d.myconnection\r\n21st of\r\nFebruary\r\n2019\r\nservice.users.blocked[@]gmail.com\r\nВаш аккаунт будет\r\nзаблокирован. (Your\r\naccount will be blocked.)\r\nhttp://id-accounts-blocked-ffb67f7dd7427b9e4fc4e5571247e812.myconnection\r\n22nd of\r\nFebruary\r\n2019\r\nservice.users.blocked[@]gmail.com\r\nПрекращение\r\nпредоставления доступа к\r\nсервису (Termination of\r\naccess to the service)\r\nhttp://id-accounts-blocked-c23102b28e1ae0f24c9614024628e650.myconnection\r\nAlmost all these emails were mimicking Gmail alerts to entice the user to click on the link. For instance this email received\r\non the 23rd of October 2018 pretends that the account will be closed soon, using images of the text hosted on imgur to\r\nbypass Gmail detection :\r\nThe only exception was an email received on the 16th of October 2018 pretending to give confidential information on the\r\nformer Hokim (governor) of Tashkent :\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 5 of 10\n\nEmails were using simple tricks to bypass detection, at times drw.sh url shortener (this tool belongs to a Russian security\r\ncompany Doctor Web) or by using open re-directions offered in several Google tools.\r\nEvery email we have seen used a different sub-domain, including emails from the same Gmail account and with the same\r\nsubject line. For instance, two different emails entitled “Прекращение предоставления доступа к сервису” and sent from\r\nthe same address used hxxp://gmallls.con-537d7.my-id[.]top/ and http://gmallls.con-4f137.my-id[.]top/ as\r\nphishing domains. We think that the operators used a different sub-domain for every email sent in order to bypass Gmail list\r\nof known malicious domains. This would explain the large number of sub-domains identified through passive DNS. We\r\nhave identified 74 sub-domains for 26 second-level domains used in this campaign (see the appendix below for  full list of\r\ndiscovered domains).\r\nWe think that the phishing page stayed online only for a short time after having sent the email in order to avoid detection.\r\nWe got access to the phishing page of a few emails. We could confirm that the phishing toolkit checked if the password is\r\ncorrect or not (against the actual gmail account) and suspect that they implemented 2 Factor authentication for text messages\r\nand 2FA applications, but could not confirm this.\r\nTimeline for the campaign\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 6 of 10\n\nWe found the first evidence of activity in this operation with the registration of domain auth-login[.]com on the 21st of\r\nFebruary 2016. Because we discovered the campaign recently, we have little information on attacks during  2016 and 2017,\r\nbut the domain registration date shows some activity in July and December 2016, and then again in August and October\r\n2017. It is very likely that the campaign started in 2016 and continued in 2017 without any public reporting about it.\r\nHere is a first timeline we obtained based on domain registration dates and dates of web attacks and phishing emails :\r\nTo confirm that this group had some activity during  2016 and 2017, we gathered encryption (TLS) certificates for these\r\ndomains and sub-domains from the crt.sh Certificate Transparency Database. We identified 230 certificates generated for\r\nthese domains, most of them created by Cloudfare. Here is a new timeline integrating the creation of TLS certificates :\r\nWe see here many certificates created since December 2016 and continuing over 2017, which shows that this group had\r\nsome activity during that time. The large number of certificates over 2017 and 2018 comes from campaign operators using\r\nCloudflare for several domains. Cloudflare creates several short-lived certificates at the same time when protecting a\r\nwebsite.\r\nIt is also interesting to note that the campaign started in February 2016, with some activity in the summer of 2016, which\r\nhappens to when the former Uzbek president Islam Karimov died, news first reported by Fergana News, one of the targets of\r\nthis attack campaign.\r\nInfrastructure Analysis\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 7 of 10\n\nWe identified domains and subdomains of this campaign through analysis of passive DNS information, using mostly the\r\nCommunity access of PassiveTotal. Many domains in 2016/2017 reused the same registrant email address,\r\nb.adan1@walla.co.il , which helped us identify other domains related to this campaign :\r\nBased on this list, we identified subdomains and IP addresses associated with them, and discovered three IP addresses used\r\nin the operation. We used Shodan historical data and dates of passive DNS data to estimate the timeline of the utilisation of\r\nthe different servers :\r\n46.45.137.74 was used in 2016 and 2017\r\n139.60.163.29 was used between October 2017 and August 2018\r\n51.15.94.245 was used between September and February 2019\r\nWe have identified 74 sub-domains for 26 second-level domains used in this campaign (see the appendix for a full list of\r\nIOCs). Most of these domains are mimicking Gmail, but there are also domains mimicking Yandex ( auth.yandex.ru.my-id[.]top ), mail.ru ( mail.ru.my-id[.]top ) qip.ru ( account.qip.ru.mail-help-support[.]info ), yahoo\r\n( auth.yahoo.com.mail-help-support[.]info ), Live ( login.live.com.mail-help-support[.]info ) or rambler.ru\r\n( mail.rambler.ru.mail-help-support[.]info ). Most of these domains are sub-domains of a few generic second-level\r\ndomains (like auth-mail.com ), but there are a few specific second-level domains that are interesting :\r\nbit-ly[.]host mimicking bit.ly\r\nm-youtube[.]top and m-youtube[.]org for Youtube\r\necoit[.]email which could mimick https://www.ecoi.net\r\npochta[.]top likely mimick https://www.pochta.ru/, the Russian Post website\r\nWe have not found any information on vzlom[.]top and fixerman[.]top . Vzlom means “break into” in Russian,\r\nso it could have hosted or mimicked a security website\r\nA weird Cyber-criminality Nexus\r\nIt is quite unusual to see connections between targeted attacks and cyber-criminal enterprises, however during this\r\ninvestigation we encountered two such links.\r\nThe first one is with the domain msoffice365[.]win which was registered by b.adan1@walla.co.il (as well as many\r\nother domains from this campaign) on the 7th of December 2016. This domain was identified as a C2 server for a\r\ncryptocurrency theft tool called Quant, as described in this Forcepoint report released in December 2017. Virus Total\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 8 of 10\n\nconfirms that this domain hosted several samples of this malware in November 2017 (it was registered for a year). We have\r\nnot seen any malicious activity from this domain related to our campaign, but as explained earlier, we have marginal access\r\nto the group’s activity in 2017.\r\nThe second link we have found is between the domain auth-login[.]com and the groups behind the Bedep trojan and the\r\nAngler exploit kit. auth-login[.]com was linked to this operation through the subdomain login.yandex.ru.auth-login[.]com that fit the pattern of long subdomains mimicking Yandex from this campaign and it was hosted on the same\r\nIP address 46.45.137.74 in March and April 2016 according to RiskIQ. This domain was registered in February 2016 by\r\nyingw90@yahoo.com (David Bowers from Grovetown, GA in the US according to whois information). This email address\r\nwas also used to register hundreds of domains used in a Bedep campaign as described by Talos in February 2016 (and\r\nconfirmed by several other reports). Angler exploit kit is one of the most notorious exploit kit, that was commonly used by\r\ncyber-criminals between 2013 and 2016. Bedep is a generic backdoor that was identified in 2015, and used almost\r\nexclusively with the Angler exploit kit. It should be noted that Trustwave documented the utilization of Bedep in 2015 to\r\nincrease the number of views of pro-Russian propaganda videos.\r\nEven if we have not seen any utilisation of these two domains in this campaign, these two links seem too strong to be\r\nconsidered cirmcumstantial. These links could show a collaboration between cyber-criminal groups and state-sponsored\r\ngroups or services. It is interesting to remember the potential involvement of Russian hacking groups in attacks on\r\nUznews.net editor in 2014, as described by Amnesty international.\r\nTaking Down Servers is Hard\r\nWhen the attack was discovered, we decided to investigate without sending any abuse requests, until a clearer picture of the\r\ncampaign emerged. In January, we decided that we had enough knowledge of the campaign and started to send abuse\r\nrequests – for fake Gmail addresses to Google and for the URL shorteners to Doctor Web. We did not receive any answer but\r\nnoticed that the Doctor Web URLs were taken down a few days after.\r\nRegarding the Scaleway server, we entered into an unexpected loop with their abuse process.  Scaleway operates by sending\r\nthe abuse request directly to the customer and then asks them for confirmation that the issue has been resolved. This process\r\nworks fine in the case of a compromised server, but does not work when the server was rented intentionally for malicious\r\nactivities. We did not want to send an abuse request because it would have involved giving away information to the\r\noperators. We contacted Scaleway directly and it took some time to find the right person on the security team. They\r\nacknowledged the difficulty of having an efficient Abuse Process, and after we sent them an anonymized version of this\r\nreport along with proof that phishing websites were hosted on the server, they took down the server around the 25th of\r\nJanuary 2019.\r\nBeing an infrastructure provider, we understand the difficulty of dealing with abuse requests. For a lot of hosting providers,\r\nthe number of requests is what makes a case urgent or not. We encourage hosting providers to better engage with\r\norganisations working to protect Civil Society and establish trust relationships that help quickly mitigate the effects of\r\nmalicious campaigns.\r\nConclusion\r\nIn this report, we have documented a prolonged phishing and web attack campaign focusing on media covering Uzbekistan\r\nand Uzbek human right activists. It shows that once again, digital attacks are a threat for human-right activists and\r\nindependent media. There are several threat actors known to use both phishing and web attacks combined (like the Vietnam-related group Ocean Lotus), but this campaign shows a dual strategy targeting civil society websites and their editors at the\r\nsame time.\r\nWe have no evidence of government involvement in this operation, but these attacks are clearly targeted on prominent\r\nvoices of Uzbek civil society. They also share strong similarities with the hack of Uznews.net in 2014, where the editor’s\r\nmailbox was compromised through a phishing email that appeared as a notice from Google warning her that the account had\r\nbeen involved in distributing illegal pornography.\r\nOver the past 10 years, several organisations like the Citizen Lab or Amnesty International have dedicated lots of time and\r\neffort to document digital surveillance and targeted attacks against Civil Society. We hope that this report will contribute to\r\nthese efforts, and show that today, more than ever, we need to continue supporting civil society against digital surveillance\r\nand intrusion.\r\nCounter-Measures Against such Attacks\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 9 of 10\n\nIf you think you are targeted by similar campaigns, here is a list of recommendations to protect yourself.\r\nAgainst phishing attacks, it is important to learn to recognize classic phishing emails. We give some examples in this report,\r\nbut you can read other similar reports by the Citizen Lab. You can also read this nice explanation by NetAlert and practice\r\nwith this Google Jigsaw quizz. The second important point is to make sure that you have configured 2-Factor Authentication\r\non your email and social media accounts. Two-Factor Authentication means using a second way to authenticate when you\r\nlog-in besides your password. Common second factors include text messages, temporary password apps or hardware tokens.\r\nWe recommend using either temporary password apps (like Google Authenticator;  FreeOTP) or Hardware Keys (like\r\nYubiKeys). Hardware keys are known to be more secure and strongly recommended if you are an at-risk activist or\r\njournalist.\r\nAgainst web attacks, if you are using a CMS like WordPress or Drupal, it is very important to update both the CMS and its\r\nplugins very regularly, and avoid using un-maintained plugins (it is very common to have websites compromised because of\r\noutdated plugins). Civil society websites are welcome to apply to Deflect for free website protection.\r\nAppendix\r\nAcknowledgement\r\nWe would like to thank Front Line Defenders and Scaleway for their help. We would also like to thank ipinfo.io and RiskIQ\r\nfor their tools that helped us in the investigation.\r\nIndicators of Compromise\r\nTop level domains :\r\nemail-service.host\r\nemail-session.host\r\nsupport-email.site\r\nsupport-email.host\r\nemail-support.host\r\nmyconnection.website\r\necoit.email\r\nmy-cabinet.com\r\nmy-id.top\r\nmsoffice365-online.org\r\nsecretonline.top\r\nm-youtube.top\r\nauth-mail.com\r\nmail-help-support.info\r\nmail-support.info\r\nauth-mail.me\r\nauth-login.com\r\nemail-x.com\r\nauth-mail.ru\r\nmail-auth.top\r\nmsoffice365.win\r\nbit-ly.host\r\nm-youtube.org\r\nvzlom.top\r\npochta.top\r\nfixerman.top\r\nYou can find a full list of indicators on github : https://github.com/equalitie/deflect_labs_6_indicators\r\nSource: https://equalit.ie/deflect-labs-report-6/\r\nhttps://equalit.ie/deflect-labs-report-6/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://equalit.ie/deflect-labs-report-6/" ], "report_names": [ "deflect-labs-report-6" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434327, "ts_updated_at": 1775791523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36a5bc14bf420261a55ffa6c3422bf0d26e32e1f.pdf", "text": "https://archive.orkl.eu/36a5bc14bf420261a55ffa6c3422bf0d26e32e1f.txt", "img": "https://archive.orkl.eu/36a5bc14bf420261a55ffa6c3422bf0d26e32e1f.jpg" } }