{ "id": "06d96c48-0a7d-4121-8373-436a461bfcc6", "created_at": "2026-04-06T00:17:14.684678Z", "updated_at": "2026-04-10T13:11:57.009987Z", "deleted_at": null, "sha1_hash": "5f5d6d028898dce8bb445e07cc85a9bc66c51bed", "title": "Centreon to Exim and Back: On the Trail of Sandworm - DomainTools | Start Here. Know Now.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 422917, "plain_text": "Centreon to Exim and Back: On the Trail of Sandworm -\r\nDomainTools | Start Here. Know Now.\r\nBy Joe Slowik\r\nPublished: 2021-03-03 · Archived: 2026-04-05 21:39:52 UTC\r\nBackground\r\nSandworm, also referred to as Telebots, Voodoo Bear, and Hades, is a cyber threat group active since at least 2009.\r\nMultiple governments, including the United Kingdom in 2018 and the United States in 2020, publicly link the\r\ngroup to Russia’s military intelligence service (commonly referred to as the GRU). The group is notable not only\r\nfor its longevity, but also its audacity as Sandworm is associated with multiple high-profile, disruptive incidents\r\nsuch as the following:\r\nGiven the group’s association with destructive cyber events, such as the 2017 NotPetya incident, the 2015 TV5\r\nMonde event, and the attempted protection attack against Ukrainian electric operations in 2016, network\r\ndefenders and Cyber Threat Intelligence (CTI) professionals should be especially attentive to high-confidence\r\ndisclosures of activity linked to Sandworm.\r\nSandworm and Centreon\r\nIn early 2021, the French National Agency for the Security of Information Systems (ANSSI) released a report on\r\nSandworm-linked activity targeting IT monitoring software produced by Centreon from late 2017 through 2020.\r\nOperations included deployment of the publicly available P.A.S. webshell (specifically version 3.1.4), as well as\r\nLinux malware referred to by researchers at ESET as “Exaramel” which has only previously been linked to\r\nSandworm activity. While the former tool is widely available (although also deployed in other operations linked to\r\nRussian intelligence services), the latter is exclusively tied to Sandworm-related operations, and features extensive\r\ncode and functionality overlap with other Sandworm-linked tools, as described in ESET’s analysis.\r\nAlthough the focus on IT monitoring software suggests superficial overlaps with the SolarWinds-related intrusion\r\nactivity (tentatively linked to Russian intelligence operations) in 2019, no evidence exists of a similar supply chain\r\nvector. Instead, subsequent reporting indicated older versions of the open source version of Centreon’s software\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 1 of 15\n\nwere victimized as part of this campaign. A statement from Centreon specified that version 2.5.2 of the software,\r\ndeprecated in 2014 and unsupported since 2016, was the latest version impacted.\r\nSolarWinds Incident Centreon Activity\r\nAccess Vector\r\nDevelopment environment compromise\r\nenabling distribution of modified software\r\nLikely exploitation of a vulnerability in\r\nolder versions of centreon open source\r\nsoftware\r\nVictimology\r\nSolarwinds itself, followed by multiple\r\norganizations running solarwinds orion\r\nsoftware\r\nLimited number of organizations running\r\nolder variants of centreon software;\r\ncentreon not impacted\r\nResponsible\r\nEntity\r\nPossible links to Russian intelligence\r\noperations, specifically the Foreign\r\nIntelligence Service (SVR)\r\nTechnical and other links to sandworm\r\nentity, linked to Russian military\r\nintelligence (GRU)\r\nWhile DomainTools cannot make a definitive determination, based on these details it appears that the intruder\r\nlikely used a vulnerability such as CVE-2014-3828, a SQL injection vulnerability in Centreon patched in version\r\n2.5.3, to write data to the vulnerable system (such as a webshell) which could facilitate follow-on code execution\r\nwithin the victim environment. Given details published by ANSSI in terms of webshell file paths (located under\r\n“/usr/local/centron/www/” and “/usr/share/centreon/www/ directories) and user context (the “apache” user, which\r\nreferences the Apache web server software used in Centreon deployments) along with the published CVE\r\nreferenced, the most-likely path to exploitation appears to be compromise of a vulnerability in Centreon software\r\nas opposed to compromise of Centreon itself.\r\nIn providing analysis of the Centreon exploitation activity, ANSSI outlines technical and behavioral details\r\nobserved, but little in the way of technical indicators. Specifically, the report identifies no network infrastructure\r\nassociated with the activity aside from a general comment noting the use of VPN services to connect to webshell\r\ninstances and a separate set of Command and Control (C2) nodes to communicate with Exaramel deployments.\r\nWhile this may appear limiting at first for further research, analysts can look to concurrent activity linked to\r\nSandworm to gain greater insight into how this threat may have operated during the approximately three year long\r\nCentreon campaign.\r\nExamining the Exim Campaign\r\nIn May 2020, the US National Security Agency (NSA) issued a brief report: “Sandworm Actors Exploiting\r\nVulnerability in Exim Mail Transfer Agent”. The report is notable for two reasons: First, the report explicitly\r\nidentifies Sandworm as “the GRU Main Center for Special Technologies (GTsST), field post number 74455.”\r\nSecond, and related to the ANSSI report, the NSA details a campaign which overlaps with the Centreon activity,\r\ntaking place from August 2019 through May 2020.\r\nThe campaign described by NSA involves exploitation of the Exim Mail Transfer Agent (MTA) software. Used\r\nfor transferring email between servers via SMTP, MTA software is network-accessible by design, with Exim being\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 2 of 15\n\nthe default MTA for many variants of Linux. The vulnerability linked to Sandworm activity, CVE-2019-10149,\r\ncan allow for Remote Code Execution (RCE) on the vulnerable host depending on Exim’s configuration and if it\r\nis remotely accessible. If accessible, the Exim exploit can facilitate both initial access to victim networks as well\r\nas lateral movement to other servers with listening, accessible Exim MTA instances.\r\nExploitation of this RCE vulnerability is relatively trivial. In the following image included from NSA reporting,\r\nSandworm operations leveraged the exploit to retrieve a shell script from a remote resource and then execute it:\r\nUnfortunately, while the script’s functions are described at a relatively high level in the report, it does not provide\r\nin-depth detail. Although some of the network infrastructure used to execute these attacks is noted, this consists of\r\nonly two IP addresses and a domain:\r\n95.216.13[.]196\r\n103.94.157[.]5\r\nhostapp[.]be\r\nAlthough apparently circumscribed, with historical network data including hosting records and passive DNS\r\n(pDNS), CTI analysts can begin identifying characteristics and fundamental aspects of this infrastructure during\r\nits period of use (August 2019 through May 2020). To start, we can examine the domain. Of note, since “.be” is a\r\ncountry-level Top Level Domain (TLD) associated with Belgium, the complete WhoIs record cannot (for legal\r\nreasons) be retrieved and archived by services such as DomainTools. Looking at the current WhoIs information\r\nthrough the Belgian WhoIs service shows that, since the NSA’s report, the domain has been re-registered:\r\nHowever, examining limited data archived via DomainTools, we can at least get an understanding of when the\r\ndomain was first registered for use in the Exim campaign as well as limited infrastructure details:\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 3 of 15\n\nWhile WhoIs registration information is not captured, we can still observe two characteristics of this\r\ninfrastructure:\r\nRegistration via Tucows.\r\nAuthoritative name servers provided by Njalla.\r\nWhile fairly general characteristics shared by a number of suspicious domains, we at least now have a better\r\nunderstanding of how this adversary was registering infrastructure, as well as when: 24 December 2018.\r\nExamination of hosting information and pDNS records is more fruitful:\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 4 of 15\n\nSeveral items emerge from the above pDNS data:\r\n1. The data confirms one of the IP addresses listed by NSA (95.216.13[.]196) was used to host hostapp[.]be\r\nduring the operational window.\r\n2. The other IP address noted by NSA, 103.94.157[.]5, is not associated with hostapp[.]be in available pDNS\r\ndata.\r\n3. Several additional, not previously disclosed IP addresses are also associated with the domain.\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 5 of 15\n\nThe first point is useful, but the other two provide avenues for further research. Looking at the IP not associated\r\nwith the domain but linked by NSA with Exim exploitation, no firm domain links appear except to the following\r\nitem from May 2020 (approximately the same time as the NSA report’s release) through January 2021:\r\nMonitor.sbp[.]hk\r\nThis specific resource does not resolve, but sbp[.]hk appears to be a template page for web design with no clear,\r\nlegitimate functionality. However, the name does link to the hosting provider, SBP Corporation, located in India.\r\nOverall, nothing of value appears related to this indicator at present.\r\nMore interesting are the previously undisclosed items linked to hostapp[.]be:\r\n185.44.76[.]193\r\n94.75.193[.]239\r\n85.158.77[.]2\r\n145.14.133[.]105\r\n176.10.104[.]219\r\nOf these, 176.10.104[.]219 appears most significant and responsible for the majority of responses for hostapp[.]be\r\nfrom November 2019 to the end of December 2019. These items are explored in greater detail in the following\r\nsection. Notably, records cease linking to the domain after 26 December 2019 until 28 May 2020—the same day\r\nthe NSA report was released—when the domain shifts to various GoDaddy parking IP addresses.\r\nWhile the above research identified new, previously unobserved indicators correlated with Sandworm operations,\r\nadditional work is required to both understand these and cement any links with the notorious group.\r\nPivoting to New Indicators and Infrastructure\r\nReviewing all IP addresses identified thus far returns the following:\r\nIP Address Hosting Provider Hosting Location Likely Purpose\r\n95.216.13[.]196 Hezner Online FI Domain hosting, Exim exploit\r\n103.94.157[.]5 SBP Corporation IN Exim exploit\r\n185.44.76[.]193 Hydra Communications GB Domain hosting\r\n94.75.193[.]239 LeaseWeb NL Domain Hosting\r\n85.158.77[.]2 SIA SkaTVis LV Domain Hosting\r\n145.14.133[.]105 DA International Group US Domain Hosting\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 6 of 15\n\nIP Address Hosting Provider Hosting Location Likely Purpose\r\n176.10.104[.]219 Datasource AG CH Domain hosting, Exim exploit\r\nWhile there are several outliers, at least for the items most closely associated with Exim exploitation and hosting\r\nhostapp.be, Sandworm appears to favor European hosting providers correlated with privacy-focused legal regimes\r\nor companies. While all of the above items were hosted with hostapp.be at some point, the majority were only\r\nlinked to the domain for a day or two in November 2019, and their precise functionality is indeterminate without\r\nadditional data.\r\nYet one of the IP addresses associated with Sandworm activity from July 2019 to early November 2019,\r\n95.216.13[.]196, shows a link to a BASH shell script with the following characteristics:\r\nMD5: 92d078d05e89c55b7bb7187fd1c53bdd\r\nSHA256: dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730\r\nReview of this object shows immediate items of concern:\r\nReviewing this portion of the script, the following takes place:\r\nA new authorized key is added to the SSH configuration.\r\nA new root-level user, “mysql_db”, is created with a hard-coded password, and added as an allowed SSH\r\nuser.\r\nThe script performs a check for the SSH listening port on the victim machine, and sends this back to\r\n205.204.66[.]196 as a parameter.\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 7 of 15\n\nOf note, the IP address referenced, hosted by Netelligent in Canada, is also used in a script with similar\r\nfunctionality as that above:\r\nMD5: d61d598106b04520a018dfa58e707ab2\r\nSHA256: 538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e\r\nYet the first script identified contains further functionality that merits exploration. For example, the following\r\nPython code, encoded as a base64 object, is decoded and executed with the script, then added to the system\r\ncrontab for weekly execution:\r\nFunctionality is somewhat straightforward:\r\nCheck for a running process named “Little Snitch,” an application firewall and connection monitoring tool\r\nassociated with MacOS; if found, the script exits.\r\nAttempt to connect to IP 95.216.13[.]196 via HTTP on port 8080 with a hardcoded User Agent string and\r\ncookie value.\r\nDecode the response with a hard-coded encryption key, and execute the result.\r\nUnfortunately, DomainTools was unable to recover a payload from the IP address. However, two items stand out\r\nfrom the above steps:\r\n1. The script is designed to silently exit in the presence of network monitoring tools associated with MacOS.\r\nWhile MacOS supports Exim, this is not a default item as MacOS uses Postfix instead.\r\n2. The script utilizes a User Agent value that would be associated with a Windows system, when Exim is a\r\nLinux/Unix application creating a mismatch in traffic visibility and expectations if examined.\r\nIn addition to this item, an additional encoded Python program is also embedded in the script that executes on\r\ninitial load and is added to a weekly crontab:\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 8 of 15\n\nThis item is somewhat simpler than the first:\r\nAgain create a hard-coded User Agent string, representative of a Windows system.\r\nInitiate a connection to 95.216.13[.]196 via HTTP over TCP 53 (normally associated with DNS zone\r\ntransfers).\r\nExecute the returned payload.\r\nAgain, DomainTools was unable to recover the payload in this instance. Both items, especially given their\r\naddition to weekly crontab entries, appear designed for persistence, either downloading and executing some\r\nfollow-on payload or sequence of commands. Nonetheless, at this stage we have significantly enriched the\r\noriginal findings of the NSA report on Exim activity, as well as identifying potential infrastructure tendencies\r\nlinked to Sandworm from July 2019 through at least December 2019.\r\nUnfortunately, we have not yet identified anything linking this campaign or its technical indicators to the\r\nCentreon-based intrusions. However, the information yielded in the above investigation can be used to cast our\r\ninvestigative net wider in search of infrastructure or other artifacts which may link back to Sandworm operations.\r\nIdentifying a Possible Linked Credential Theft Campaign\r\nAt this stage of analysis, we possess multiple IP addresses but still only one domain, and two scripting objects that\r\nlink back to already-known infrastructure. One possible infrastructure hunting hypothesis would be to look for\r\nsimilar domains registered in approximately the same period (December 2018). Searching for domains beginning\r\nwith “hostapp” created in December 2018 returns interesting results:\r\nDomain\r\nDate\r\nCreated\r\nRegistrar\r\nName\r\nServer\r\nPrimary IP Primary Hosting\r\nhostapp[.]art\r\n11 Dec\r\n2018\r\nTucows Njalla 91.197.145[.]114 LTD KuMIR TELECOM\r\nhostapp[.]link\r\n20 Dec\r\n2018\r\nTucows Njalla 77.47.193[.]36\r\nAssociation of users of\r\nUkrainian Research \u0026\r\nAcademic Network URAN\r\nIn addition to matching the pattern of hostapp[.]be in hosting, these items also link to interesting subdomains, such\r\nas the following:\r\ni.ua.account-check.hostapp[.]link\r\nfacebook.com.webapp.hostapp[.]art\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 9 of 15\n\ntwitter.com.webapp.hostapp[.]art\r\nFurthermore, the IP addresses represent new observables that reveal additional domains with similar subdomains\r\nspoofing a variety of mail and social media services:\r\nfacebook.com.webapp.apse[.]xyz\r\nwww.facebook.com.webapp.memcached[.]in\r\napi.twitter.com.webapp.workbench[.]run\r\napi.twitter.account.nsoxt[.]com\r\nWhile investigating this new path, DomainTools researchers identified another “name cluster” created in\r\nDecember 2018 similar to the hostapp domains:\r\nSpdup[.]art\r\nSpdup[.]be\r\nSpdup[.]info\r\nAll registered on 22 December 2018 via Tucows and Njalla name servers, they also link to additional IP addresses\r\nand subdomains:\r\ngoogle-settings.spdup[.]be\r\npassport.www.mail.yandex.ru.spdup[.]be\r\naccounts.google-account-settings.spdup[.]art\r\ngoogle-settingsapi.spdup[.]info\r\nA complete list of primary domains and associated IP addresses at time of use is provided in Appendices A and B,\r\nrespectively. The precise functions of these items (and related infrastructure) is not completely clear in all cases.\r\nExamination of some items does reveal spoofed logon pages which could be leveraged for credential capture. For\r\nexample, the “passport.www.mail.yandex[.]ru” subdomain above resolved to the following spoofed logon page for\r\nYandex as late as November 2019:\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 10 of 15\n\nReviewing subdomains overall, the primary emphasis appears to be spoofing services tied to Ukraine, Bulgaria,\r\nand Russia, with a handful of items that appear to have a general European Union (EU) theme. For this latter\r\nobservation, the following items appear interspersed with more specific references to Russia or Ukraine:\r\nyanoo.com.userarea[.]eu\r\ndrive.google.com.filepreview.auth.userarea[.]click\r\nReviewing items linked in the appendices, some were active long after release of NSA’s Exim report and\r\npotentially into early 2021. Yet the majority appear to have been detected around May or June 2020, and have\r\nbeen “sinkholed” on Amazon Web Services (AWS) IP 52.45.178[.]122 or related addresses since.\r\nImplications for Understanding Sandworm\r\nWhile the previous section appears to identify a cluster of activity adjacent to publicly documented Sandworm\r\noperations, such links—although likely given the persistence in naming themes and sharing of hosting\r\ninfrastructure—cannot be proved with available information. Nonetheless, in the process of expanding our view\r\ninto known elements of adversary activity, we as CTI analysts have greatly expanded our view into likely related,\r\nconcurrent operations by a disruptive threat actor. While we identified a number of additional indicators, we more\r\ncritically delineated adversary behaviors:\r\nUnderstanding of Linux-environment alterations used by Sandworm for system modification and\r\npersistence within the Exim campaign.\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 11 of 15\n\nIdentification of infrastructure hosting and registration tendencies within the timeframe covered by both\r\nNSA and ANSSI reporting.\r\nUncovering a likely concurrent credential harvesting campaign linked to Sandworm infrastructure with\r\nspecific items targeting several Eastern European countries.\r\nUnfortunately, we did not succeed in achieving the goal we set out to satisfy: identifying infrastructure associated\r\nwith the Centreon exploitation activity documented by ANSSI. Yet although we failed in identifying specific\r\ninfrastructure linked to this campaign, we did reveal tendencies which held during the 2017-2020 timeframe in\r\nwhich this campaign was active that could be used by defenders and analysts to disposition possible Sandworm-related intrusions. For example, the combination of registration, name server, hosting, and domain naming\r\ntendencies documented above and shown in the following appendices reveal adversary tendencies during the\r\nperiod of operation.\r\nOverall, the investigation above reveals several aspects linked to Sandworm-related activity, if not directly\r\nassociated with GRU Unit 74455 (based on NSA and other government attribution statements):\r\nWidespread infrastructure creation with an emphasis on European hosting providers.\r\nDomain name tendencies that either reflect plausible items directly in root domains, or mimicking\r\nlegitimate services through long subdomains.\r\nSignificant operations targeting Linux environments across both the Exim and Centreon campaigns,\r\nincluding the use of both Linux-specific malware (Exaramel deployment) and native system commands\r\n(Exim post-exploitation activity).\r\nContinuous credential capture activity targeting a variety of email and social media services, with an\r\nemphasis on Ukraine, Bulgaria, and Russia, but with unknown intentions and purpose.\r\nConclusion\r\nStarting with revelations concerning Sandworm-linked activity targeting French IT monitoring software, we\r\nidentified certain overall adversary tendencies and intrusion possibilities leading to a previously-documented\r\ncampaign leveraging a vulnerability in the Exim MTA. Based on further in-depth analysis of this campaign, we\r\nrevealed additional infrastructure and adversary tendencies that shed light on a widespread credential harvesting\r\ncampaign.\r\nWhile we failed in our initial goal of attempting to identify concrete links between the Centreon and Exim\r\ncampaigns given their temporal overlap, we nonetheless succeeded in learning significantly more about a deeply\r\nconcerning adversary. Armed with this knowledge, network defenders and CTI analysts can mine internal data\r\nrepositories and external information sources for further links or to disposition prior intrusions now illuminated\r\nwith these discoveries.\r\nBy applying the investigative and enrichment techniques detailed above with respect to Sandworm to other threats\r\nof interest, we can gain greater insight into fundamental adversary tradecraft and tendencies. Equipped with this\r\ninsight, defenders and CTI professionals can then more accurately or efficiently research and prosecute intrusions\r\nby having the background knowledge necessary to appropriately categorize and understand identified intrusions\r\nand their related artifacts.\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 12 of 15\n\nAppendix A: Linked Domains\r\nDomain Registrar Date Created Primary IP Address\r\nappservice[.]site PublicDomainRegistry 10 Jan 2019 193.200.209[.]200\r\napse[.]xyz PublicDomainRegistry 28 Aug 2018 91.197.145[.]114\r\nbase64encode[.]ml Freenom 3 Sept 2018 74.119.219[.]82\r\nbg-abvmail[.]ga Freenom 26 Aug 2018 141.8.224[.]221\r\nbg-abvmail[.]pw EPAG DomainServices 2 Oct 2018 78.130.144[.]40\r\ncacheappfb[.]cf Freenom 10 Aug 2018 91.205.6[.]143\r\nchecklogin[.]in Tucows 30 Aug 2018 78.130.144[.]40\r\nfbapp[.]info Tucows 24 Dec 2018 46.4.10[.]58\r\nfbapp[.]link Tucows 24 Dec 2018 68.235.34[.]235\r\nfbapp[.]top Tucows 24 Dec 2018 46.151.81[.]242\r\nfbsocialnet[.]ga Freenom 6 Nov 2018 91.205.6[.]143\r\ngreatbookbase[.]com PublicDomainRegistry 9 Jun 2018 46.28.202[.]254\r\ngreatupdate[.]net PublicDomainRegistry 1 Jun 2018 46.28.202[.]254\r\nhostapp[.]art Tucows 11 Dec 2018 91.197.145[.]114\r\nHostapp[.]be Tucows 24 Dec 2018 176.10.104[.]219\r\nhostapp[.]link Tucows 20 Dec 2018 77.47.193[.]36\r\nkyev[.]net NameSilo 24 Dec 2018 185.226.67[.]190\r\nlogin[.]photography PublicDomainRegistry 18 Oct 2018 46.28.202[.]254\r\nlogin-site[.]online NameSilo 18 Oct 2018 46.28.202[.]254\r\nmalamsenin[.]xyz West263 25 Dec 2019 72.52.179[.]175\r\nmemcached[.]cc NameSilo 28 Aug 2018 193.106.29[.]250\r\nmemcached[.]in PublicDomainRegistry 21 Sep 2018 91.197.145[.]114\r\nnsoxt[.]com NameSilo 11 Dec 2018 193.200.209[.]200\r\nspdup[.]art Tucows 21 Dec 2018 89.108.72[.]196\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 13 of 15\n\nDomain Registrar Date Created Primary IP Address\r\nspdup[.]be Tucows 22 Dec 2018 46.28.202[.]254\r\nspdup[.]info Tucows 22 Dec 2018 46.28.202[.]254\r\nthehomeofbaseball[.]com PublicDomainRegistry 5 June 2018 77.47.193[.]36\r\nupdatenote[.]net NameSilo 4 June 2018 46.28.202[.]254\r\nupdatenote[.]tk Freenom 14 May 2017 78.130.144[.]40\r\nuserarea[.]click Tucows 18 Nov 2019 91.195.240[.]117\r\nuserarea[.]eu Tucows 13 Nov 2019 185.226.67[.]190\r\nuserarea[.]in Tucows 13 Nov 2019 5.255.90[.]243\r\nuserarea[.]top Tucows 14 Nov 2019 194.117.236[.]33\r\nwebcache[.]one Tucows 13 Nov 2019 195.211.197[.]25\r\nworkbench[.]run NameSilo 21 Sep 2018 91.197.145[.]114\r\nAppendix B: Identified IP Addresses\r\nIP Address Hosting Provider Hosting Location Start Activity End Activity\r\n103.94.157[.]5 SBP Corporation IN May 2020 Aug 2020\r\n119.252.189[.]49 ZoneNetworks AU Aug 2018 Aug 2018\r\n176.10.104[.]219 Datasource AG CH Dec 2019 Dec 2019\r\n176.31.225[.]204 OVH FR Jan 2018 Jun 2018\r\n185.226.67[.]190 Aweb GR Oct 2019 Oct 2020\r\n185.44.67[.]193 Hydra GB Jul 2019 Jul 2019\r\n193.200.209[.]200 Infium UA Jan 2019 Dec 2019\r\n194.117.236[.]33 MyserverMedia RO Mar 2020 Nov 2020\r\n195.211.197[.]25 Tomich RU Mar 2020 Nov 2020\r\n205.204.66[.]196 Netelligent CA Jul 2019 Dec 2019\r\n31.148.63[.]236 FlashInternet UA Oct 2019 Dec 2019\r\n46.151.81[.]242 BigNet UA Jun 2019 Dec 2019\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 14 of 15\n\nIP Address Hosting Provider Hosting Location Start Activity End Activity\r\n46.161.40[.]16 WS171 RU Oct 2019 Oct 2019\r\n46.28.202[.]254 Solarcom CH Nov 2018 Dec 2019\r\n46.4.10[.]58 Hetzner DE Jun 2019 May 2020\r\n5.255.90[.]243 Serverius NL Feb 2020 Jun 2020\r\n68.235.34[.]235 Tzulo US Jan 2019 Dec 2019\r\n77.47.193[.]36 NTUU UA Oct 2018 Dec 2019\r\n78.130.144[.]40 Cooolbox BG Oct 2018 Jun 2019\r\n78.25.21[.]3 Alkar UA Jun 2019 Jun 2019\r\n79.124.75[.]234 Telepoint BG Feb 2019 May 2019\r\n85.158.77[.]2 SIA “SkaTVis” LV Nov 2019 Nov 2019\r\n87.230.102[.]40 PlusServer DE Aug 2018 Apr 2019\r\n89.108.72[.]196 Agava3 RU Jan 2019 Dec 2019\r\n91.197.145[.]114 Kumir UA Nov 2018 Jun 2019\r\n91.205.6[.]143 Sunline UA Aug 2018 Oct 2018\r\n92.62.139[.]114 Baltneta LT Mar 2020 Oct 2020\r\n94.75.193[.]239 LeaseWeb NL Nov 2019 Nov 2019\r\n95.216.13[.]196 Hetzner FI Jul 2019 Nov 2019\r\nSource: https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nhttps://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm" ], "report_names": [ "centreon-to-exim-and-back-on-the-trail-of-sandworm" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434634, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f5d6d028898dce8bb445e07cc85a9bc66c51bed.pdf", "text": "https://archive.orkl.eu/5f5d6d028898dce8bb445e07cc85a9bc66c51bed.txt", "img": "https://archive.orkl.eu/5f5d6d028898dce8bb445e07cc85a9bc66c51bed.jpg" } }