{ "id": "a839448c-7b22-4578-9c1a-5fd8b7cb4836", "created_at": "2026-04-06T00:11:41.619765Z", "updated_at": "2026-04-10T03:36:11.20079Z", "deleted_at": null, "sha1_hash": "505bbb4e893ac28f894094462d79fe5f52380ba2", "title": "research-team/IOCs/WizardSpider-UNC1878-Ryuk.csv at master · ThreatConnect-Inc/research-team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72561, "plain_text": "research-team/IOCs/WizardSpider-UNC1878-Ryuk.csv at master ·\r\nThreatConnect-Inc/research-team\r\nBy Alex\r\nArchived: 2026-04-05 15:30:19 UTC\r\n2\r\nAddress104.217.62.1109010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30\r\n2020. ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878\r\n3\r\nAddress104.149.170.1909010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October\r\n30 2020. ThreatConnect EnrichmentWizard Spider;Dedicated Server;UNC1878;Ryuk\r\n4\r\nAddress172.106.86.69010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30\r\n2020. ThreatConnect EnrichmentWizard Spider;UNC1878;Dedicated Server;Ryuk\r\n5\r\nAddress104.149.170.1829010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October\r\n30 2020. ThreatConnect EnrichmentWizard Spider;UNC1878;Ryuk;Dedicated Server\r\n6\r\nAddress104.217.62.1119010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30\r\n2020. ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878\r\n7\r\nAddress104.149.170.1669010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October\r\n30 2020. ThreatConnect EnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server\r\n8\r\nAddress172.106.86.59010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30\r\n2020. ThreatConnect EnrichmentRyuk;Wizard Spider;Dedicated Server;UNC1878\r\n9\r\nAddress104.149.168.2229010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October\r\n30 2020. ThreatConnect EnrichmentDedicated Server;Wizard Spider;UNC1878;Ryuk\r\n10\r\nAddress172.106.86.49010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30\r\n2020. ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 1 of 23\n\n11\r\nHostnasupdater.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider\r\n12\r\nHostnashelper.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;Ryuk;UNC1878;Dedicated Server\r\n13\r\nHostnasbooster.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n14\r\nHostibackupview.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;UNC1878;Ryuk;Wizard Spider\r\n15\r\nHostibackupupdate.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878\r\n16\r\nHostibackupboost.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878\r\n17\r\nHostchecksservice.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Wizard Spider;UNC1878;Dedicated Server\r\n18\r\nHostiservicec.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server;Wizard Spider;UNC1878\r\n19\r\nHostuncheckhel.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;Ryuk;Dedicated Server;UNC1878\r\n20\r\nAddress104.149.168.2139010-29-202010-30-2020IP hosts most likely Ryuk domain backupslive.com on a dedicated server,\r\nas of October 29 2020.ThreatConnect EnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider\r\n21\r\nHostbackupslive.com9010-29-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through\r\nNameCheap and hosted on a dedicated server at 104.149.168.213. Per Censys, domain uses an SSL certificate with similar\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 2 of 23\n\nsubject string (\"C=US, ST=TX, L=Texas, O=lol, OU=,\") compared to previous Ryuk infrastructure. ThreatConnect\r\nEnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider\r\n22\r\nAddress209.141.34.915010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect\r\nEnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n23\r\nHostthecheckupdater.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a\r\nprobable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n24\r\nHostsupservupdate.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a\r\nprobable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n25\r\nHostboost-helper.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a\r\nprobable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n26\r\nAddress205.185.127.2155010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect\r\nEnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n27\r\nAddress209.141.61.435010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect\r\nEnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server\r\n28\r\nAddress172.106.86.229010-29-202010-29-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 29\r\n2020. ThreatConnect EnrichmentWizard Spider;Dedicated Server;Ryuk;UNC1878\r\n29\r\nAddress190.211.254.1565010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29\r\n2020.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider\r\n30\r\nAddress172.106.86.135010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29\r\n2020.ThreatConnect EnrichmentWizard Spider;Ryuk;UNC1878;Dedicated Server\r\n31\r\nAddress209.141.49.2339010-29-202010-29-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 29\r\n2020. ThreatConnect EnrichmentUNC1878;Wizard Spider;Dedicated Server;Ryuk\r\n32\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 3 of 23\n\nAddress104.217.8.1035010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29\r\n2020.ThreatConnect EnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server\r\n33\r\nHostiupdaters.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23 2020\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider\r\n34\r\nHostiupdatemaster.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23\r\n2020 and hosted on a dedicated server.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider\r\n35\r\nHostimasterupdate.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23\r\n2020 and hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;UNC1878;Dedicated Server;Ryuk\r\n36\r\nHostitopupdater.com9010-29-202010-29-2020Most likely Ryuk domain registered on October 23 2020 through\r\nOpenprovider and hosted on a dedicated server. Per Censys, domain uses an SSL certificate with similar subject string\r\n(\"C=US, ST=TX, L=Texas, O=lol, OU=,\") compared to previous Ryuk infrastructure.ThreatConnect\r\nEnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server\r\n37\r\nHostit1booster.com9010-29-202010-29-2020Most likely Ryuk domain registered on October 23 2020 through Openprovider\r\nand hosted on a dedicated server. Per Censys, domain uses an SSL certificate with similar subject string (\"C=US, ST=TX,\r\nL=Texas, O=lol, OU=,\") compared to previous Ryuk infrastructure.ThreatConnect EnrichmentUNC1878;Ryuk;Wizard\r\nSpider;Dedicated Server\r\n38\r\nHostidrivecheck.com4510-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n39\r\nAddress205.185.123.629010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n40\r\nAddress81.17.28.709010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late\r\nOctober 2020.ThreatConnect EnrichmentRyuk\r\n41\r\nAddress81.17.28.1229010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n42\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 4 of 23\n\nAddress179.43.128.39010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n43\r\nAddress205.185.121.1349010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server\r\nin late October 2020.ThreatConnect EnrichmentRyuk\r\n44\r\nAddress81.17.28.1059010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n45\r\nAddress179.43.158.1719010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n46\r\nAddress179.43.133.449010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n47\r\nAddress179.43.160.2059010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentRyuk\r\n48\r\nAddress179.43.128.59010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nlate October 2020.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n49\r\nAddress205.185.126.1729010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server\r\nin late October 2020.ThreatConnect EnrichmentRyuk\r\n50\r\nHostservice1upd.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n51\r\nHostservice1boost.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n52\r\nHostidriveview.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n53\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 5 of 23\n\nHostidriveupdate.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n54\r\nHostidriverrs.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n55\r\nHostidrivehepler.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n56\r\nHostidrivefinder.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n57\r\nHostidrivedwn.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n58\r\nHostidrivedownload.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n59\r\nHostidriveboost.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n60\r\nFile27B341FA2AA731335273204CB112A414 : 3BA6EBC1CECA4A37FD13AC4875F2AFDDB046151C :\r\n2FACD367C1299EF200934CFD06279F177F9E3145164E4BD595E2B94A403A1B0210010-28-202010-28-2020Cobalt\r\nStrike executable communicates with most likely Ryuk domain idrivecheck.com.ThreatConnect EnrichmentCobalt\r\nStrike;Ryuk\r\n61\r\nAddress45.153.241.1679010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n62\r\nAddress45.147.231.2229010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n63\r\nAddress45.153.241.1539010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 6 of 23\n\n64\r\nAddress45.153.241.1589010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n65\r\nAddress45.153.241.1469010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n66\r\nAddress45.153.241.1419010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n67\r\nAddress45.153.241.149010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n68\r\nAddress45.153.241.1389010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n69\r\nAddress45.153.241.1399010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n70\r\nAddress45.153.241.1349010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n71\r\nHostview-backup.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n72\r\nHosttop3servicebooster.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n73\r\nHostservicereader.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n74\r\nHostservicehel.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap\r\nand hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 7 of 23\n\n75\r\nHostservice1view.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n76\r\nHostservice1update.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n77\r\nHostdriver1downloads.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n78\r\nHostdriver-boosters.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n79\r\nHostbackups1helper.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through\r\nNameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n80\r\nHostservice-hel.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap\r\nand hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n81\r\nFileED0F520D410A684C6D0548DBF4CAEA98 : 6381FC7E6D39549E0F7E65AC8151EEB6D70ECEF9 :\r\n093AC1213B112C7EB7C46000F04160AF37339CE0D6FFF514F0941F2B5AB4882910010-23-202010-23-2020Malicious\r\nexecutable communicates with most likely Ryuk domain servicereader.com.ThreatConnect Enrichment\r\n82\r\nFile6C4DACBEFCA90DAD7EF318604E635E89 : 5810D3A052D459760DEFBF479BE15DF1EEBFF48F :\r\n1C05380AF47696F7D7EF84B452FA4F662158D9F1CAF7AD01A455061081D1365310010-23-202010-23-2020Malicious\r\nexecutable communicates with most likely Ryuk domain servicereader.com.ThreatConnect Enrichment\r\n83\r\nHostdriver1master.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n84\r\nHostchecktodrivers.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n85\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 8 of 23\n\nHostgodofservice.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n86\r\nHostservice1updater.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n87\r\nHostboost-yourservice.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n88\r\nHostviewdrivers.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n89\r\nHostdriver1updater.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n90\r\nHostbackup1master.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n91\r\nHostdriverdwl.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and\r\nhosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n92\r\nHostbackup1helper.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n93\r\nAddress45.153.241.17510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid\r\nOctober 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n94\r\nAddress45.153.240.1367510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n95\r\nAddress194.36.188.457510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n96\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 9 of 23\n\nAddress45.153.240.2207510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n97\r\nAddress45.153.240.1787510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n98\r\nAddress194.36.188.1547510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n99\r\nAddress45.153.240.1947510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n100\r\nAddress45.153.240.2407510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n101\r\nAddress45.153.240.2467510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n102\r\nAddress185.117.75.1937510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n103\r\nAddress45.153.240.1577510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n104\r\nAddress45.153.240.1387510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n105\r\nAddress45.153.240.2227510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n106\r\nAddress188.116.36.1557510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n107\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 10 of 23\n\nAddress45.153.240.1337510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in\r\nmid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n108\r\nAddress108.62.12.1148410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n109\r\nAddress108.62.12.1198410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n110\r\nAddress108.62.12.1218410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n111\r\nAddress108.62.12.128410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n112\r\nAddress74.118.138.1398410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n113\r\nAddress74.118.138.1388410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n114\r\nAddress74.118.138.1378410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n115\r\nAddress74.118.138.1168410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n116\r\nAddress74.118.138.1158410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n117\r\nAddress108.62.12.1168410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n118\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 11 of 23\n\nAddress108.62.12.1058410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n119\r\nAddress108.177.235.538410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in\r\nmid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n120\r\nHosttopservicebooster.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on\r\na dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n121\r\nHosttopservice-masters.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted\r\non a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n122\r\nHosttopbackup-helper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on\r\na dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n123\r\nHosttop3-services.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a\r\ndedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n124\r\nHostsimpleservice-checker.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and\r\nhosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n125\r\nHostsimple-backupbooster.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and\r\nhosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n126\r\nHosttop-backupservice.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted\r\non a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n127\r\nHosttop-backuphelper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on\r\na dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server\r\n128\r\nHostbestservicehelper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on\r\na dedicated server. ThreatConnect EnrichmentCobalt Strike;Ryuk;Dedicated Server\r\n129\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 12 of 23\n\nHostbest-nas.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a\r\ndedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n130\r\nHostbest-backup.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a\r\ndedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n131\r\nHosttopbackupintheworld.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and\r\nhosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk\r\n132\r\nFileF8AAE4C883E19E3E1E880E7AE38C2369 : F3CA59DA7702CA9CB8FDB9F1B764EF2C7915A8A5 :\r\n8B6C3018958E7AE20989045811358B1225606000C879000C779444CC50290D9E10010-19-202010-19-2020Cobalt\r\nStrike executable communicates with a domain identified in a series of infrastructure with consistent registration and\r\nnaming, and most likely associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n133\r\nAddress45.147.230.1598410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n134\r\nAddress45.147.230.1418410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n135\r\nAddress45.147.230.1408410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n136\r\nAddress45.147.230.1338410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n137\r\nAddress45.147.230.1328410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n138\r\nAddress45.147.230.1318410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n139\r\nAddress45.147.229.928410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 13 of 23\n\n140\r\nAddress45.147.229.688410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n141\r\nAddress45.147.229.528410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n142\r\nAddress45.147.229.448410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk\r\n143\r\nHostservice-checker.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n144\r\nHostboost-servicess.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n145\r\nHostbakcup-monster.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n146\r\nHostbakcup-checker.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n147\r\nHostbackup-simple.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n148\r\nHostbackup-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n149\r\nHostbackup-helper.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n150\r\nHostservice-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 14 of 23\n\n151\r\nHostnas-simple-helper.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n152\r\nHostnas-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk\r\n153\r\nFileBA17A1FD0E350C77A58C88AE6AA28AAA : 1DA3A7A84386AA4A278677BFF97C5E23AA6BBD0A :\r\n2376A8DA650C124B3D916765F82929B4109F20BC4F211A39A4D1CD4391780D1F10010-15-202010-15-2020Cobalt\r\nStrike executable communicates with a domain identified in a series of infrastructure with consistent registration and\r\nnaming, and, based on 3rd party analysis, associated with\r\nRyuk.https://www.virustotal.com/gui/file/2376a8da650c124b3d916765f82929b4109f20bc4f211a39a4d1cd4391780d1f/detection/f\r\n2376a8da650c124b3d916765f82929b4109f20bc4f211a39a4d1cd4391780d1f-1602673645Cobalt Strike;Ryuk\r\n154\r\nFile7430F8E3F9F8716B8DBC548997AD8F8A : 7062CD7B0E0D3EEF423E20AEF39FB330FAF88717 :\r\n4544B478B2029EC38EB4BDA111741A10F0684E38F1B29CE092B93DF882D11F9E10010-15-202010-15-2020Cobalt\r\nStrike executable communicates with a domain identified in a series of infrastructure with consistent registration and\r\nnaming, and, based on 3rd party analysis, associated with\r\nRyuk.https://www.virustotal.com/gui/file/4544b478b2029ec38eb4bda111741a10f0684e38f1b29ce092b93df882d11f9e/detection/f\r\n4544b478b2029ec38eb4bda111741a10f0684e38f1b29ce092b93df882d11f9e-1602761394Cobalt Strike;Ryuk\r\n155\r\nHostbackup1nas.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n156\r\nHostnasmastrservice.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n157\r\nHostbackupnas1.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n158\r\nHostnas-helper.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n159\r\nHostnasmasterservice.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 15 of 23\n\n160\r\nHostelephantdrrive.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n161\r\nHostbackupmastter.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n162\r\nHostbackup1service.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n163\r\nHostopen1vpn.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap\r\nand hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n164\r\nHostservice-boostter.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n165\r\nHostservice-hellper.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through\r\nNameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n166\r\nAddress45.138.172.304410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n167\r\nAddress45.147.230.874410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n168\r\nAddress45.138.172.954410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n169\r\nAddress45.147.230.304410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n170\r\nAddress45.147.229.2534410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 16 of 23\n\n171\r\nAddress45.147.229.1804410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n172\r\nAddress45.147.229.1284410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n173\r\nAddress45.147.228.774410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n174\r\nAddress185.25.51.764410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early\r\nOctober 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n175\r\nAddress45.147.228.1644410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server\r\n176\r\nAddress45.138.172.514410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in\r\nearly October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk\r\n177\r\nHostzhameharden.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n178\r\nHostbithunterr.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo).\r\nDomain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely\r\nassociated with a series of similarly-registered domains used in conjunction with various\r\nmalware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server\r\nUse;Cobalt Strike\r\n179\r\nHosttiancaii.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a\r\nprotonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with\r\nvarious malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use;Bazar\r\n180\r\nHostraidbossa.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo).\r\nDomain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely\r\nassociated with a series of similarly-registered domains used in conjunction with various\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 17 of 23\n\nmalware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server\r\nUse;Cobalt Strike\r\n181\r\nHostrapirasa.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo).\r\nDomain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely\r\nassociated with a series of similarly-registered domains used in conjunction with various\r\nmalware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server\r\nUse;Cobalt Strike\r\n182\r\nHostprimeviref.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n183\r\nHostmyobtain.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n184\r\nHosthotlable.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect\r\nEnrichmentRyuk;Cobalt Strike\r\n185\r\nHosthunbabe.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect\r\nEnrichmentRyuk;Cobalt Strike\r\n186\r\nHosthavemosts.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n187\r\nHostquwasd.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect\r\nEnrichmentCobalt Strike;Ryuk\r\n188\r\nHostremotessa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 18 of 23\n\n189\r\nHostsecondlivve.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n190\r\nHostservice-boosterr.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n191\r\nHostservicemount.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n192\r\nHostservicesupdater.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n193\r\nHostserviceupdatter.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n194\r\nHostsobcase.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect\r\nEnrichmentRyuk;Cobalt Strike\r\n195\r\nHostunlockwsa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n196\r\nHostwodemayaa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n197\r\nHostcheapshhot.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 19 of 23\n\n198\r\nHostdotmaingame.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentRyuk;Cobalt Strike\r\n199\r\nHostblackhoall.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with\r\nRyuk.ThreatConnect EnrichmentCobalt Strike;Ryuk\r\n200\r\nHostvnuret.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n201\r\nHostservicegungster.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n202\r\nHostrealgamess.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n203\r\nHostwondergodst.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n204\r\nHostsweetmonsterr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n205\r\nHostqascker.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n206\r\nHostzetrexx.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n207\r\nHostreginds.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n208\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 20 of 23\n\nHosthakunaman.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n209\r\nHostgtrsqer.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n210\r\nHostrazorses.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n211\r\nHostharddagger.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike\r\n212\r\nHostcheckhunterr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n213\r\nHostcheck4list.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike\r\n214\r\nHostkungfupandasa.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n215\r\nHostbiliyilish.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n216\r\nHostbouths.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n217\r\nHostjonsonsbabyy.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n218\r\nHostchekingking.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 21 of 23\n\n219\r\nHostpudgeee.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating\r\nwith Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n220\r\nHostnomadfunclub.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike\r\n221\r\nHostbugsbunnyy.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n222\r\nHostchalengges.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\n223\r\nHostgetinformationss.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike\r\n224\r\nHostgameleaderr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON\r\n225\r\nHostraaidboss.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a\r\nprotonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with\r\nvarious malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use\r\n226\r\nHostayiyas.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a\r\nprotonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with\r\nvarious malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use\r\n227\r\nAddress45.34.6.2217810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON\r\n228\r\nAddress96.9.225.1437810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 22 of 23\n\n229\r\nAddress45.34.6.2237810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs\r\ncommunicating with Cobalt Strike / Beacon malicious\r\nexecutables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON\r\nSource: https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv" ], "report_names": [ "WizardSpider-UNC1878-Ryuk.csv" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434301, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/505bbb4e893ac28f894094462d79fe5f52380ba2.pdf", "text": "https://archive.orkl.eu/505bbb4e893ac28f894094462d79fe5f52380ba2.txt", "img": "https://archive.orkl.eu/505bbb4e893ac28f894094462d79fe5f52380ba2.jpg" } }