research-team/IOCs/WizardSpider-UNC1878-Ryuk.csv at master ยท ThreatConnect-Inc/research-team By Alex Archived: 2026-04-05 15:30:19 UTC 2 Address104.217.62.1109010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878 3 Address104.149.170.1909010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentWizard Spider;Dedicated Server;UNC1878;Ryuk 4 Address172.106.86.69010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentWizard Spider;UNC1878;Dedicated Server;Ryuk 5 Address104.149.170.1829010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentWizard Spider;UNC1878;Ryuk;Dedicated Server 6 Address104.217.62.1119010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878 7 Address104.149.170.1669010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server 8 Address172.106.86.59010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentRyuk;Wizard Spider;Dedicated Server;UNC1878 9 Address104.149.168.2229010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentDedicated Server;Wizard Spider;UNC1878;Ryuk 10 Address172.106.86.49010-30-202010-30-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 30 2020. ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 1 of 23 11 Hostnasupdater.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider 12 Hostnashelper.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;Ryuk;UNC1878;Dedicated Server 13 Hostnasbooster.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 14 Hostibackupview.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;UNC1878;Ryuk;Wizard Spider 15 Hostibackupupdate.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878 16 Hostibackupboost.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk;Wizard Spider;UNC1878 17 Hostchecksservice.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Wizard Spider;UNC1878;Dedicated Server 18 Hostiservicec.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server;Wizard Spider;UNC1878 19 Hostuncheckhel.com9010-30-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;Ryuk;Dedicated Server;UNC1878 20 Address104.149.168.2139010-29-202010-30-2020IP hosts most likely Ryuk domain backupslive.com on a dedicated server, as of October 29 2020.ThreatConnect EnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider 21 Hostbackupslive.com9010-29-202010-30-2020Most likely Ryuk domain registered on October 27 2020 through NameCheap and hosted on a dedicated server at 104.149.168.213. Per Censys, domain uses an SSL certificate with similar https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 2 of 23 subject string ("C=US, ST=TX, L=Texas, O=lol, OU=,") compared to previous Ryuk infrastructure. ThreatConnect EnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider 22 Address209.141.34.915010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 23 Hostthecheckupdater.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a probable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 24 Hostsupservupdate.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a probable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 25 Hostboost-helper.com5010-29-202010-29-2020Possible Ryuk domain registered on October 26 2020 and hosted on a probable dedicated server.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 26 Address205.185.127.2155010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 27 Address209.141.61.435010-29-202010-29-2020IP hosts a possible Ryuk domain as of October 29 2020.ThreatConnect EnrichmentRyuk;UNC1878;Wizard Spider;Dedicated Server 28 Address172.106.86.229010-29-202010-29-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 29 2020. ThreatConnect EnrichmentWizard Spider;Dedicated Server;Ryuk;UNC1878 29 Address190.211.254.1565010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29 2020.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider 30 Address172.106.86.135010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29 2020.ThreatConnect EnrichmentWizard Spider;Ryuk;UNC1878;Dedicated Server 31 Address209.141.49.2339010-29-202010-29-2020IP hosts a most likely Ryuk domain on a dedicated server, as of October 29 2020. ThreatConnect EnrichmentUNC1878;Wizard Spider;Dedicated Server;Ryuk 32 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 3 of 23 Address104.217.8.1035010-29-202010-29-2020IP hosts a possible Ryuk domain on a dedicated server, as of October 29 2020.ThreatConnect EnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server 33 Hostiupdaters.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23 2020 and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server;UNC1878;Wizard Spider 34 Hostiupdatemaster.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23 2020 and hosted on a dedicated server.ThreatConnect EnrichmentUNC1878;Dedicated Server;Ryuk;Wizard Spider 35 Hostimasterupdate.com5010-29-202010-29-2020Possible Ryuk domain registered through Openprovider on October 23 2020 and hosted on a dedicated server.ThreatConnect EnrichmentWizard Spider;UNC1878;Dedicated Server;Ryuk 36 Hostitopupdater.com9010-29-202010-29-2020Most likely Ryuk domain registered on October 23 2020 through Openprovider and hosted on a dedicated server. Per Censys, domain uses an SSL certificate with similar subject string ("C=US, ST=TX, L=Texas, O=lol, OU=,") compared to previous Ryuk infrastructure.ThreatConnect EnrichmentUNC1878;Wizard Spider;Ryuk;Dedicated Server 37 Hostit1booster.com9010-29-202010-29-2020Most likely Ryuk domain registered on October 23 2020 through Openprovider and hosted on a dedicated server. Per Censys, domain uses an SSL certificate with similar subject string ("C=US, ST=TX, L=Texas, O=lol, OU=,") compared to previous Ryuk infrastructure.ThreatConnect EnrichmentUNC1878;Ryuk;Wizard Spider;Dedicated Server 38 Hostidrivecheck.com4510-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentCobalt Strike;Ryuk 39 Address205.185.123.629010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 40 Address81.17.28.709010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 41 Address81.17.28.1229010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 42 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 4 of 23 Address179.43.128.39010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 43 Address205.185.121.1349010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 44 Address81.17.28.1059010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 45 Address179.43.158.1719010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 46 Address179.43.133.449010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 47 Address179.43.160.2059010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 48 Address179.43.128.59010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentCobalt Strike;Ryuk 49 Address205.185.126.1729010-28-202010-28-2020IP address used to host a most likely Ryuk domain on a dedicated server in late October 2020.ThreatConnect EnrichmentRyuk 50 Hostservice1upd.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 51 Hostservice1boost.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 52 Hostidriveview.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 53 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 5 of 23 Hostidriveupdate.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 54 Hostidriverrs.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 55 Hostidrivehepler.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 56 Hostidrivefinder.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 57 Hostidrivedwn.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 58 Hostidrivedownload.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 59 Hostidriveboost.com9010-28-202010-28-2020Most likely Ryuk domain registered on October 25 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 60 File27B341FA2AA731335273204CB112A414 : 3BA6EBC1CECA4A37FD13AC4875F2AFDDB046151C : 2FACD367C1299EF200934CFD06279F177F9E3145164E4BD595E2B94A403A1B0210010-28-202010-28-2020Cobalt Strike executable communicates with most likely Ryuk domain idrivecheck.com.ThreatConnect EnrichmentCobalt Strike;Ryuk 61 Address45.153.241.1679010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 62 Address45.147.231.2229010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 63 Address45.153.241.1539010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 6 of 23 64 Address45.153.241.1589010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 65 Address45.153.241.1469010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 66 Address45.153.241.1419010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 67 Address45.153.241.149010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 68 Address45.153.241.1389010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 69 Address45.153.241.1399010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 70 Address45.153.241.1349010-23-202010-23-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 71 Hostview-backup.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 72 Hosttop3servicebooster.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 73 Hostservicereader.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server 74 Hostservicehel.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 7 of 23 75 Hostservice1view.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 76 Hostservice1update.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server 77 Hostdriver1downloads.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 78 Hostdriver-boosters.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 79 Hostbackups1helper.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 80 Hostservice-hel.com9010-23-202010-23-2020Most likely Ryuk domain registered on October 20 2020 through NameCheap and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 81 FileED0F520D410A684C6D0548DBF4CAEA98 : 6381FC7E6D39549E0F7E65AC8151EEB6D70ECEF9 : 093AC1213B112C7EB7C46000F04160AF37339CE0D6FFF514F0941F2B5AB4882910010-23-202010-23-2020Malicious executable communicates with most likely Ryuk domain servicereader.com.ThreatConnect Enrichment 82 File6C4DACBEFCA90DAD7EF318604E635E89 : 5810D3A052D459760DEFBF479BE15DF1EEBFF48F : 1C05380AF47696F7D7EF84B452FA4F662158D9F1CAF7AD01A455061081D1365310010-23-202010-23-2020Malicious executable communicates with most likely Ryuk domain servicereader.com.ThreatConnect Enrichment 83 Hostdriver1master.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 84 Hostchecktodrivers.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 85 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 8 of 23 Hostgodofservice.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 86 Hostservice1updater.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 87 Hostboost-yourservice.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 88 Hostviewdrivers.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 89 Hostdriver1updater.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 90 Hostbackup1master.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 91 Hostdriverdwl.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 92 Hostbackup1helper.com7510-21-202010-21-2020Probable Ryuk domain registered on October 17 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 93 Address45.153.241.17510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 94 Address45.153.240.1367510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 95 Address194.36.188.457510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 96 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 9 of 23 Address45.153.240.2207510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 97 Address45.153.240.1787510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 98 Address194.36.188.1547510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 99 Address45.153.240.1947510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 100 Address45.153.240.2407510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 101 Address45.153.240.2467510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 102 Address185.117.75.1937510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 103 Address45.153.240.1577510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 104 Address45.153.240.1387510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 105 Address45.153.240.2227510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 106 Address188.116.36.1557510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 107 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 10 of 23 Address45.153.240.1337510-21-202010-21-2020IP address used to host a probable Ryuk domain on a dedicated server in mid October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 108 Address108.62.12.1148410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 109 Address108.62.12.1198410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 110 Address108.62.12.1218410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 111 Address108.62.12.128410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 112 Address74.118.138.1398410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 113 Address74.118.138.1388410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk 114 Address74.118.138.1378410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk 115 Address74.118.138.1168410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 116 Address74.118.138.1158410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 117 Address108.62.12.1168410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentRyuk;Dedicated Server 118 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 11 of 23 Address108.62.12.1058410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk 119 Address108.177.235.538410-19-202010-19-2020IP address used to host a most likely Ryuk domain on a dedicated server in mid October 2020. ThreatConnect EnrichmentDedicated Server;Ryuk 120 Hosttopservicebooster.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 121 Hosttopservice-masters.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 122 Hosttopbackup-helper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 123 Hosttop3-services.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 124 Hostsimpleservice-checker.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server 125 Hostsimple-backupbooster.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 126 Hosttop-backupservice.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server 127 Hosttop-backuphelper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentRyuk;Dedicated Server 128 Hostbestservicehelper.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentCobalt Strike;Ryuk;Dedicated Server 129 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 12 of 23 Hostbest-nas.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 130 Hostbest-backup.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 131 Hosttopbackupintheworld.com8710-19-202010-19-2020Most likely Ryuk domain registered in mid October 2020 and hosted on a dedicated server. ThreatConnect EnrichmentDedicated Server;Ryuk 132 FileF8AAE4C883E19E3E1E880E7AE38C2369 : F3CA59DA7702CA9CB8FDB9F1B764EF2C7915A8A5 : 8B6C3018958E7AE20989045811358B1225606000C879000C779444CC50290D9E10010-19-202010-19-2020Cobalt Strike executable communicates with a domain identified in a series of infrastructure with consistent registration and naming, and most likely associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 133 Address45.147.230.1598410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 134 Address45.147.230.1418410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 135 Address45.147.230.1408410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 136 Address45.147.230.1338410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 137 Address45.147.230.1328410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 138 Address45.147.230.1318410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Cobalt Strike 139 Address45.147.229.928410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 13 of 23 140 Address45.147.229.688410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 141 Address45.147.229.528410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Cobalt Strike 142 Address45.147.229.448410-15-202010-15-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk 143 Hostservice-checker.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 144 Hostboost-servicess.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 145 Hostbakcup-monster.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentCobalt Strike;Ryuk 146 Hostbakcup-checker.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 147 Hostbackup-simple.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 148 Hostbackup-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Cobalt Strike 149 Hostbackup-helper.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 150 Hostservice-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 14 of 23 151 Hostnas-simple-helper.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 152 Hostnas-leader.com8710-15-202010-15-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk 153 FileBA17A1FD0E350C77A58C88AE6AA28AAA : 1DA3A7A84386AA4A278677BFF97C5E23AA6BBD0A : 2376A8DA650C124B3D916765F82929B4109F20BC4F211A39A4D1CD4391780D1F10010-15-202010-15-2020Cobalt Strike executable communicates with a domain identified in a series of infrastructure with consistent registration and naming, and, based on 3rd party analysis, associated with Ryuk.https://www.virustotal.com/gui/file/2376a8da650c124b3d916765f82929b4109f20bc4f211a39a4d1cd4391780d1f/detection/f 2376a8da650c124b3d916765f82929b4109f20bc4f211a39a4d1cd4391780d1f-1602673645Cobalt Strike;Ryuk 154 File7430F8E3F9F8716B8DBC548997AD8F8A : 7062CD7B0E0D3EEF423E20AEF39FB330FAF88717 : 4544B478B2029EC38EB4BDA111741A10F0684E38F1B29CE092B93DF882D11F9E10010-15-202010-15-2020Cobalt Strike executable communicates with a domain identified in a series of infrastructure with consistent registration and naming, and, based on 3rd party analysis, associated with Ryuk.https://www.virustotal.com/gui/file/4544b478b2029ec38eb4bda111741a10f0684e38f1b29ce092b93df882d11f9e/detection/f 4544b478b2029ec38eb4bda111741a10f0684e38f1b29ce092b93df882d11f9e-1602761394Cobalt Strike;Ryuk 155 Hostbackup1nas.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 156 Hostnasmastrservice.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 157 Hostbackupnas1.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 158 Hostnas-helper.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 159 Hostnasmasterservice.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 15 of 23 160 Hostelephantdrrive.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 161 Hostbackupmastter.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 162 Hostbackup1service.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 163 Hostopen1vpn.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 164 Hostservice-boostter.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentRyuk;Dedicated Server 165 Hostservice-hellper.com4710-13-202010-13-2020Possible Ryuk domain registered in early October 2020 through NameCheap and hosted on a dedicated server.ThreatConnect EnrichmentDedicated Server;Ryuk 166 Address45.138.172.304410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 167 Address45.147.230.874410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 168 Address45.138.172.954410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 169 Address45.147.230.304410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 170 Address45.147.229.2534410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 16 of 23 171 Address45.147.229.1804410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 172 Address45.147.229.1284410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 173 Address45.147.228.774410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 174 Address185.25.51.764410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 175 Address45.147.228.1644410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentRyuk;Dedicated Server 176 Address45.138.172.514410-13-202010-13-2020IP address used to host a possible Ryuk domain on a dedicated server in early October 2020.ThreatConnect EnrichmentDedicated Server;Ryuk 177 Hostzhameharden.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 178 Hostbithunterr.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo). Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various malware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server Use;Cobalt Strike 179 Hosttiancaii.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use;Bazar 180 Hostraidbossa.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo). Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 17 of 23 malware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server Use;Cobalt Strike 181 Hostrapirasa.com8709-30-202010-11-2020Cobalt Strike infrastructure identified by Twitter user Bryce (@bryceabdo). Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various malware.https://twitter.com/bryceabdo/status/1309479842119909376Ryuk;Dedicated Server;Suspicious Name Server Use;Cobalt Strike 182 Hostprimeviref.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 183 Hostmyobtain.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 184 Hosthotlable.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 185 Hosthunbabe.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 186 Hosthavemosts.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 187 Hostquwasd.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 188 Hostremotessa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 18 of 23 189 Hostsecondlivve.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 190 Hostservice-boosterr.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 191 Hostservicemount.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 192 Hostservicesupdater.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 193 Hostserviceupdatter.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 194 Hostsobcase.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 195 Hostunlockwsa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 196 Hostwodemayaa.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 197 Hostcheapshhot.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 19 of 23 198 Hostdotmaingame.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentRyuk;Cobalt Strike 199 Hostblackhoall.com8710-11-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables and, based on 3rd party analysis, associated with Ryuk.ThreatConnect EnrichmentCobalt Strike;Ryuk 200 Hostvnuret.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 201 Hostservicegungster.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 202 Hostrealgamess.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 203 Hostwondergodst.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 204 Hostsweetmonsterr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 205 Hostqascker.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 206 Hostzetrexx.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 207 Hostreginds.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 208 https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 20 of 23 Hosthakunaman.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 209 Hostgtrsqer.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 210 Hostrazorses.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 211 Hostharddagger.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike 212 Hostcheckhunterr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 213 Hostcheck4list.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike 214 Hostkungfupandasa.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 215 Hostbiliyilish.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 216 Hostbouths.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 217 Hostjonsonsbabyy.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 218 Hostchekingking.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 21 of 23 219 Hostpudgeee.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 220 Hostnomadfunclub.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;BEACON;Cobalt Strike 221 Hostbugsbunnyy.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 222 Hostchalengges.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON 223 Hostgetinformationss.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;BEACON;Cobalt Strike 224 Hostgameleaderr.com8410-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON 225 Hostraaidboss.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use 226 Hostayiyas.com8709-30-202010-11-2020Domain was registered through MonoVM in late September 2020 using a protonmail email address and is most likely associated with a series of similarly-registered domains used in conjunction with various malware.ThreatConnect EnrichmentRyuk;Dedicated Server;Suspicious Name Server Use 227 Address45.34.6.2217810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON 228 Address96.9.225.1437810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.ThreatConnect EnrichmentRyuk;Cobalt Strike;BEACON https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 22 of 23 229 Address45.34.6.2237810-06-202010-11-2020Infrastructure identified as part of a large set of domains and IPs communicating with Cobalt Strike / Beacon malicious executables.https://twitter.com/bryceabdo/status/1309510426347143168Ryuk;Cobalt Strike;BEACON Source: https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv Page 23 of 23