{ "id": "fce42412-c963-411f-a997-59bb4e6978f4", "created_at": "2026-04-06T00:09:01.335317Z", "updated_at": "2026-04-10T03:36:33.979896Z", "deleted_at": null, "sha1_hash": "603415595bb6b6b24e4543642a75873870eb42a0", "title": "ThreatConnect Research Roundup: Possible Ryuk Infrastructure | ThreatConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 441546, "plain_text": "ThreatConnect Research Roundup: Possible Ryuk Infrastructure |\r\nThreatConnect\r\nBy ThreatConnect\r\nPublished: 2020-10-16 · Archived: 2026-04-05 17:50:36 UTC\r\nHowdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research\r\nTeam and items from open source publications that have resulted in Observations of related indicators across\r\nThreatConnect’s CAL™ (Collective Analytics Layer).\r\nNote: Viewing the pages linked in this blog post requires a ThreatConnect account.\r\nRoundup Highlight: Possible Ryuk Infrastructure\r\nhttps://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/\r\nPage 1 of 4\n\nScreenshot of a “news” site identified in 20201013A: Possible Ryuk Infrastructure, 20201015A: Additional\r\nPossible Ryuk Infrastructure\r\nIn this Roundup, we highlight Incidents 20201013A: Possible Ryuk Infrastructure and 20201015A: Additional\r\nPossible Ryuk Infrastructure.\r\nThreatConnect Research identified several possible Ryuk domains based on consistencies with infrastructure\r\nidentified in Incident 20200930A: Domains Registered Through MonoVM Used with Cobalt Strike. Those\r\nconsistencies include naming similarities, registration through NameCheap, and reuse of the same CIDR blocks\r\nfor hosting. However, those consistencies are not unique and most of the identified infrastructure is not hosted on\r\nASNs seen in the previous infrastructure, SSL certificates have not been created for most of the domains, and we\r\nhave no information on Cobalt Strike or Bazar communicating with this infrastructure. Additionally, one of the\r\ndomains — service-boostter.com — uses a Let’s Encrypt SSL certificate, which differs from the previously\r\nidentified infrastructure. New SSL certificates or relevant malicious file behavior consistent with the previously\r\nidentified infrastructure would help increase our confidence in the assessed relationship to Ryuk.\r\nThe identified infrastructure includes the following:\r\nservice-hellper[.]com (45.138.172[.]95)\r\nopen1vpn[.]com (45.147.229[.]253)\r\nnasmastrservice[.]com (45.147.230[.]87)\r\nnasmasterservice[.]com (45.147.229[.]128)\r\nnas-helper[.]com (45.147.228[.]164)\r\nelephantdrrive[.]com (45.147.229[.]180)\r\nbackupnas1[.]com (45.147.230[.]30)\r\nbackupmastter[.]com (45.147.228[.]77)\r\nbackup1service[.]com (45.138.172[.]51)\r\nbackup1nas[.]com (45.138.172[.]30)\r\nservice-boostter[.]com (185.25.51[.]76)\r\nWe identified several additional possible Ryuk domains based on consistencies with Incident 20200930A. At least\r\ntwo of the domains were also identified in behavioral information for Cobalt Strike executables, similar to those in\r\nthe aforementioned Incident. The domains’ consistencies include naming similarities, registration through\r\nNameCheap, and reuse of the same CIDR blocks for hosting. It should be noted that those consistencies are not\r\nunique and most of the identified infrastructure is not hosted on ASNs seen in the previous infrastructure and SSL\r\ncertificates have not been created for most of the domains. New SSL certificates or relevant malicious file\r\nbehavior consistent with the previously identified infrastructure would help increase our confidence in the\r\nassessed relationship to Ryuk.\r\nhttps://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/\r\nPage 2 of 4\n\nThe identified infrastructure and files includes the following:\r\nbackup-helper[.]com (45.147.229[.]44)\r\nbackup-leader[.]com (45.147.229[.]52, Cobalt Strike\r\n4544b478b2029ec38eb4bda111741a10f0684e38f1b29ce092b93df882d11f9e)\r\nbackup-simple[.]com (45.147.229[.]68)\r\nbakcup-checker[.]com (45.147.229[.]92)\r\nbakcup-monster[.]com (45.147.230[.]131, Cobalt Strike\r\n2376a8da650c124b3d916765f82929b4109f20bc4f211a39a4d1cd4391780d1f)\r\nboost-servicess[.]com (45.147.230[.]132)\r\nnas-leader[.]com (45.147.230[.]133)\r\nnas-simple-helper[.]com (45.147.230[.]140)\r\nservice-checker[.]com (45.147.230[.]141)\r\nservice-leader[.]com (45.147.230[.]159)\r\nThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common\r\nCommunity by our Research Team.\r\n20201011A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research\r\nidentified a Mustang Panda PlugX binary and extracted Command and Control locations from the\r\nembedded configuration.\r\nTechnical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or\r\nmore Indicators with an Active status and at least one global Observation across the ThreatConnect community.\r\nThese analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).\r\nEmotet C2 Deltas from 2020/10/14 as of 08:15EDT or 12:15UTC (Source:\r\nhttps://paste.cryptolaemus.com/emotet/2020/10/14/emotet-C2-Deltas-1215-0815_10-14-20.html)\r\nDaily Emotet IoCs and Notes for 10/14/20 (Source:\r\nhttps://paste.cryptolaemus.com/emotet/2020/10/14/emotet-malware-IoCs_10-14-20.html)\r\nThreat Roundup for October 2 to October 9 (Source: https://blog.talosintelligence.com/2020/10/threat-roundup-1002-1009.html)\r\nEmotet C2 Deltas from 2020/10/12 as of 17:45EDT or 21:45UTC (Source:\r\nhttps://paste.cryptolaemus.com/emotet/2020/10/12/emotet-C2-Deltas-2145-1745_10-12-20.html)\r\nhttps://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/\r\nPage 3 of 4\n\nTo receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that\r\nitem’s Details page.\r\nAbout the Author\r\nThreatConnect\r\nBy operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security\r\noperations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy\r\nand value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the\r\nThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a\r\nproactive force in protecting the enterprise. Learn more at www.threatconnect.com.\r\nSubscribe\r\nto our Emails\r\nSource: https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/\r\nhttps://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/" ], "report_names": [ "threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/603415595bb6b6b24e4543642a75873870eb42a0.pdf", "text": "https://archive.orkl.eu/603415595bb6b6b24e4543642a75873870eb42a0.txt", "img": "https://archive.orkl.eu/603415595bb6b6b24e4543642a75873870eb42a0.jpg" } }