{
	"id": "5a55743d-2445-4fff-bde2-7290ccdd2c9d",
	"created_at": "2026-04-06T00:20:10.000852Z",
	"updated_at": "2026-04-10T03:34:43.823356Z",
	"deleted_at": null,
	"sha1_hash": "7faa0cff1e6fc7881b39b8f16e820dfbe9248b2e",
	"title": "Star Blizzard increases sophistication and evasion in ongoing attacks | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3729481,
	"plain_text": "Star Blizzard increases sophistication and evasion in ongoing\r\nattacks | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-12-07 · Archived: 2026-04-05 12:45:33 UTC\r\nJanuary 2025 update – In mid-November 2024, Star Blizzard was observed shifting their tactics,\r\ntechniques, and procedures (TTPs), likely in response to the exposure of their TTPs by Microsoft Threat\r\nIntelligence and other organizations. Learn more about our observations and findings in this Microsoft\r\nThreat Intelligence blog post: New Star Blizzard spear-phishing campaign targets WhatsApp accounts.\r\nOctober 2024 update – Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical\r\ninfrastructure used by Star Blizzard. We have updated this blog with the latest observed Star Blizzard\r\ntactics, techniques, and procedures (TTPs).\r\nMicrosoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian nation-state\r\nactor we call Star Blizzard. Star Blizzard has continuously improved their detection evasion capabilities while\r\nremaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to\r\nhave historically supported both espionage and cyber influence objectives, continues to prolifically target\r\nindividuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as\r\nacademia, information security companies, and other entities aligning with Russian state interests. Microsoft\r\ncontinues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.\r\nMicrosoft is grateful for the collaboration on investigating Star Blizzard compromises with the international\r\ncybersecurity community, including our partners at the UK National Cyber Security Centre, the US National\r\nSecurity Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.\r\nThis blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs),\r\nbuilding on our 2022 blog as the threat actor continues to refine their tradecraft to evade detection. As with any\r\nobserved nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised,\r\nproviding them with the necessary information to secure their accounts.\r\nStar Blizzard TTPs observed in 2024\r\nStar Blizzard persistently introduces new techniques to avoid detection. These TTPs are employed for brief\r\nperiods and are either modified or abandoned once they become publicly known.\r\nMicrosoft has identified the following evasive techniques used by Star Blizzard in campaigns in 2024:\r\nUse of multiple registrars to register domain infrastructure\r\nUse of multiple link-shortening services and legitimate websites with open redirects, to hide actor-registered domains\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 1 of 47\n\nUse of altered legitimate email templates as spear-phishing lures\r\nUsing multiple registrars to register domain infrastructure\r\nIn December 2023, we highlighted that Star Blizzard was using the registrar NameCheap to register their domain\r\ninfrastructure. As CitizenLab reported (August 2024), the threat actor has also used Hostinger to register domains\r\nused in the infrastructure for email credential theft.\r\nMicrosoft can confirm that in 2024 Star Blizzard transitioned from their long-standing practice of primarily using\r\na single domain name registrar. Among the registrars seen used by Star Blizzard in 2024 are the following:\r\nHostinger\r\nRealTime Register\r\nGMO Internet\r\nA list of recent domain names registered by Star Blizzard can be found at the end of this report.\r\nUse of multiple link-shortening services and legitimate websites to hide actor-registered domains\r\nSince August 2024, Star Blizzard has made substantial changes in the methods they employ to redirect targets to\r\ntheir virtual private server (VPS) infrastructure, on which Evilginx is installed and then used to facilitate\r\ncredential theft.\r\nIn December 2023, we detailed the threat actor’s use of email marketing platforms to prevent the need to embed\r\nthe actor-registered domains in their spear-phishing emails. This technique was abandoned in early 2024, with the\r\nthreat actor transitioning first to hosting the initial redirector website on shared infrastructure. Since August 2024,\r\nStar Blizzard has added multiple layers of redirection to their VPS infrastructure, utilizing various link-shortening\r\nservices and legitimate websites that can be used as open redirectors.\r\nFor example, in a recent spear-phishing email that was sent from an actor-controlled Outlook account, we found\r\nthat the threat actor had embedded an initial link, which was created using the Microsoft 365 Safe Links into the\r\nattached PDF lure. The Safe Links URL could only be generated by sending an email between actor-controlled\r\naccounts with the link in the body. The actor then copied that generated Safe Links URL to use in their attack.   \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 2 of 47\n\nFigure 1. Initial link in a spear-phishing campaign by Star Blizzard embedded in a PDF file\r\nThis link redirected to a shortened URL created using the Bitly link-shortening service, which resolved to another\r\nshortened URL created using the Cuttly link-shortening service. The second shortened URL redirected to a\r\nlegitimate website, used as an open redirector, which ultimately redirected to the first actor-controlled domain.\r\nThe website mechengsys[.]net was hosted on shared infrastructure at Hostinger and performed various filtering\r\nactions until ultimately redirecting to an actor-controlled VPS installed with Evilginx, resolving the domain\r\nvidmemax[.]com.\r\nFigure 2. Chain of redirection from initial link to the Star Blizzard-controlled domain\r\nUse of altered legitimate email templates as spear-phishing lures\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 3 of 47\n\nFor a brief period between July and August 2024, the threat actor utilized spear-phishing lures that did not contain\r\nor redirect to PDF lures embedded with links that redirected to actor-controlled infrastructure. Instead, Star\r\nBlizzard sent targets an altered OneDrive file share notification that included a clickable link to a malicious URL.\r\nWhen clicked, the link would initiate redirection to actor-controlled infrastructure. We observed Star Blizzard\r\nusing this approach in spear-phishing attacks against its traditional espionage targets, including individuals\r\nassociated with politics and diplomacy, NGOs, and think tanks.\r\nFigure 3. The attack chain used in Star Blizzard’s 2024 spear-phishing lure campaign\r\nIn this approach, the threat actor began by creating a new email account, usually a Proton account, intended to\r\nimpersonate a trusted sender so the recipient would be more likely to open the phishing email. The actor then\r\nstored a benign PDF or Word file in a cloud file-hosting service (for example, when targeting Microsoft\r\ncustomers, OneDrive) and shared the file with the newly created email account. The threat actor edited the HTML\r\nof the email, changing the displayed sender name and the URL behind the “Open” button that would otherwise\r\nlead back to the OneDrive-hosted file so that it directed to the Evilginx redirector domain instead.  \r\nStar Blizzard then sent the spear-phishing email to the target. When the “Open” button was clicked, it directed the\r\nuser to the redirector domain, which, after performing filtering based on browser fingerprinting and additional\r\nmethods, directed the target to an actor-controlled Virtual Private Server (VPS) with the Evilginx installation. The\r\nEvilginx server allowed Star Blizzard to perform an adversary-in-the-middle (AiTM) attack on an authentication\r\nsession to an email provider, enabling the actor to receive the necessary information to perform subsequent sign-ins to the target’s email account, including the username, password, and MFA token, if MFA is used by the target.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 4 of 47\n\nFigure 4. Star Blizzard spear-phishing lure\r\nTTPs used in past Star Blizzard campaigns\r\nMicrosoft observed Star Blizzard using the following TTPs in campaigns before 2024, highlighting continuously\r\nevolving techniques used by the threat actor to evade detection:\r\nUse of server-side scripts to prevent automated scanning of actor-controlled infrastructure\r\nUse of email marketing platform services to hide true email sender addresses and obviate the need for\r\nincluding actor-controlled domain infrastructure in email messages\r\nUse of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS)\r\ninfrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing\r\ntheir service.\r\nPassword-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted\r\nShift to a more randomized domain generation algorithm (DGA) for actor-registered domains\r\nUse of server-side scripts to prevent automated scanning\r\nBetween April 2023 and December 2023, we observed Star Blizzard gradually moving away from using hCaptcha\r\nservers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection\r\nwas still performed by an actor-controlled server, first executing JavaScript code (titled “Collect and Send User\r\nData”) before redirecting the browsing session to the Evilginx server.\r\nShortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated\r\nversion (titled “Docs”), which is still in use today.\r\nThis capability collects various information from the browser performing the browsing session to the redirector\r\nserver. The code contains three main functions:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 5 of 47\n\npluginsEmpty(): This function checks if the browser has any plugins installed.\r\nisAutomationTool(): This function checks for various indicators that the page is being accessed by an\r\nautomation tool (such as Selenium, PhantomJS, or Nightmare) and returns an object with information\r\nabout the detected tools.\r\nsendToBackend(data): This function sends the data collected by isAutomationTool() to the server using a\r\nPOST request. If the server returns a response, the message in the response is executed using eval().\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 6 of 47\n\nFollowing the POST request, the redirector server assessed the data collected from the browser and decided\r\nwhether to allow continued browser redirection.\r\nWhen a good verdict is reached, the browser received a response from the redirection server, redirecting to the\r\nnext stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.\r\nA bad verdict resulted in the receipt of an HTTP error response and no further redirection.\r\nFigure 5. Content of POST request and server response using “Collect and Send User Data”\r\nJavaScript\r\nUse of email marketing platform services\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 7 of 47\n\nWe previously observed Star Blizzard using two different services, HubSpot and MailerLite. The actor used these\r\nservices to create an email campaign, which provided them with a dedicated subdomain on the service that is then\r\nused to create URLs. These URLs acted as the entry point to a redirection chain ending at actor-controlled\r\nEvilginx server infrastructure. The services also provided the user with a dedicated email address per configured\r\nemail campaign, which the threat actor has been seen to use as the “From” address in their campaigns.\r\nMost Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other\r\nresearch organizations using a common theme, aimed at obtaining their credentials for a US grants management\r\nportal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large\r\nnumbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these\r\nemails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the\r\nfollowing examples were dedicated threat actor-controlled accounts.\r\nFigure 6. Examples of themed spear-phishing email headers\r\nOther HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or\r\ndirectly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for\r\nemail account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need\r\nfor including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based\r\non indicators of compromise (IOC).\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 8 of 47\n\nFigure 7. Example of victim redirection chain using initial HubSpot URL\r\nStar Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the\r\nobserved campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.\r\nUse of a DNS provider to resolve actor-controlled domain infrastructure\r\nIn December 2022, we began to observe Star Blizzard using a domain name service (DNS) provider that also acts\r\nas a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard\r\nregistered domains associated with their redirector servers use a DNS provider to obscure the resolving IP\r\naddresses allocated to their dedicated VPS infrastructure.\r\nWe have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.\r\nPassword-protected PDF lures or links to cloud-based file-sharing platforms\r\nStar Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security\r\nprocesses implemented by defenders. The threat actor usually sends the password to open the file to the targeted\r\nuser in the same or a subsequent email message.\r\nIn addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a\r\ncloud storage service and sharing a password-protected link to the file in a message sent to the intended victim.\r\nWhile Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft\r\nOneDrive), Proton Drive is predominantly chosen for this purpose.\r\nMicrosoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing\r\nactivities.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 9 of 47\n\nFigure 8. Example of spear-phishing email with password protected link to Proton Drive\r\nRandomizing DGA for actor registered domains\r\nFollowing the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star\r\nBlizzard domain registrations, we have observed the threat actor making significant changes in their chosen\r\ndomain naming syntax.\r\nPrior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has\r\nobserved that the threat actor has upgraded their domain-generating mechanism to include a more randomized list\r\nof words.\r\nDespite the increased randomization, Microsoft has identified detection opportunities based on the following\r\nconstant patterns in Star Blizzard domain registration behavior:\r\nNamecheap remains the registrar of choice\r\nDomains are usually registered in groups, many times with similar naming conventions\r\nX.509 TLS certificates are provided by Let’s Encrypt, created in the same timeframe of domain registration\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 10 of 47\n\nFigure 9. Examples of X.509 TLS certificates used by Star Blizzard\r\nA list of recent domain names registered by Star Blizzard can be found at the end of this report.\r\nConsistent TTPs since 2022\r\nStar Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email\r\nproviders that host organizational and/or personal email accounts.\r\nStar Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the\r\ninitial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx\r\nserver infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This\r\nsession follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a\r\n“phishlet” for the intended targets’ email provider.\r\nStar Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure\r\n(redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor\r\nregistered domain.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 11 of 47\n\nFigure 10. Typical Star Blizzard redirection chain to Evilginx infrastructure\r\nProtecting yourself against Star Blizzard\r\nAs with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes,\r\nindividual email users should be aware of who these attacks target and what they look like to improve their\r\nability to identify and avoid further attacks.\r\nThe following are a list of answers to questions that enterprise and consumer email users should be asking about\r\nthe threat from Star Blizzard:\r\nAm I at risk of being a Star Blizzard target?\r\nUsers and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:\r\n1. Government or diplomacy (both incumbent and former position holders).\r\n2. Research into defense policy or international relations when related to Russia.\r\n3. Assistance to Ukraine related to the ongoing conflict with Russia.\r\nRemember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both\r\norganization and personal accounts.\r\nWhat will a Star Blizzard spear-phishing email look like?\r\nStar Blizzard emails appear to be from a known contact that users or organizations expect to receive email from.\r\nThe sender address could be from any free email provider, but special attention should be paid to emails received\r\nfrom Proton account senders  (@proton[.]me, @protonmail[.]com) as they are frequently used by the threat actor.\r\nAn initial email is usually sent to the target, asking them to review a document, but without any attachment or link\r\nto the document.\r\nThe threat actor will wait for a response, and following that, will send an additional message with either an\r\nattached PDF file or an embedded link, as detailed above in “Star Blizzard TTPs observed in 2024.”\r\nIf the targeted user has not completed authentication by entering their password in the offered sign-in page and/or\r\nsupplied all the required factors for multifactor authentication (MFA), the threat actor does not have the capability\r\nto successfully compromise the targeted account.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 12 of 47\n\nOur recommendation to all email users that belong to Star Blizzard targeted sectors is to always remain vigilant\r\nwhen dealing with email, especially emails containing links to external resources. When in doubt, contact the\r\nperson you think is sending the email using a known and previously used email address, to verify that the email\r\nwas indeed sent by them.\r\nWhat happens if I interact with a Star Blizzard PDF lure?\r\nPressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is\r\nthe beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened\r\nand may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end\r\nshowing a sign-in screen to the account where the spear-phishing email was received, with the targeted email\r\nalready appearing in the username field.\r\nThe host domain in the web address is an actor-controlled domain (see appendix for full list), and not the\r\nexpected domain of the email server or cloud service.\r\nIf multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted\r\naccount, an authentication approval request is immediately received on the device chosen for receiving\r\nauthentication approvals.\r\nAs long as the authentication process is not completed (a valid password is not entered and/or an\r\nauthentication request is not approved), the threat actor has not compromised the account.\r\nIf the authentication process is completed, the credentials have been successfully compromised by Star Blizzard,\r\nand the threat actor has all the required details needed to immediately access the mailbox, even if multifactor\r\nauthentication is enabled.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 13 of 47\n\nFigure 11. Examples of Star Blizzard PDF lures when opened\r\nRecommendations\r\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the necessary information to secure their accounts.\r\nMicrosoft emphasizes that the following two mitigations will strengthen customers’ environments against Star\r\nBlizzard attack activity:\r\nUsing phishing resistant authentication methods.\r\nLockdown account access using Conditional Access policies\r\nMicrosoft is sharing indicators of compromise related to this attack at the end of this report to encourage the\r\nsecurity community to further investigate for potential signs of Star Blizzard activity using their security solution\r\nof choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft\r\nDefender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft\r\nDefender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on,\r\nno further action is required to mitigate this threat presently. A thorough investigation should be performed to\r\nunderstand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.\r\nAdditionally, Microsoft recommends the following mitigations to reduce the impact of this threat:\r\nUse advanced anti-phishing solutions like Microsoft Defender for Office 365 that monitor and scan\r\nincoming emails and visited websites. For example, organizations can leverage web browsers that\r\nautomatically identify and block malicious websites and provide solutions that detect and block malicious\r\nemails, links, and files.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-compromise.\r\nConfigure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint\r\nto take immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nTurn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to\r\ncover rapidly evolving attacker tools, techniques, and behaviors. These capabilities use artificial\r\nintelligence and machine learning to quickly identify and stop new and unknown threats.\r\nUse  security defaults as a baseline set of policies to improve identity security posture. For more granular\r\ncontrol, enable conditional access policies.  Conditional access policies evaluate sign-in requests using\r\nadditional identity driven signals like user or group membership, IP location information, and device status,\r\namong others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks\r\nthat leverage stolen credentials by enabling policies such as compliant devices or trusted IP address\r\nrequirements.\r\nImplement continuous access evaluation.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 14 of 47\n\nContinuously monitor suspicious or anomalous activities. Investigate sign-in attempts with suspicious\r\ncharacteristics (for example, location, ISP, user agent, and use of anonymizer services).\r\nConfigure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning\r\nand rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in\r\nemail messages, other Office 365 applications such as Teams, and other locations such as SharePoint\r\nOnline. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in\r\ninbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your\r\norganization from malicious links that are used in phishing and other attacks.\r\nUse the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated\r\nphishing and password attack campaigns in your organization by training end users against clicking URLs\r\nin unsolicited messages and disclosing their credentials. Training should include checking for poor spelling\r\nand grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos,\r\nand domain URLs appearing to originate from legitimate applications or companies. Note that Attack\r\nSimulator testing only supports phishing emails containing links at this time.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender\r\nSmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites\r\nthat contain exploits and host malware. In all web protection scenarios, SmartScreen and Network\r\nProtection can be used together to ensure protection across both Microsoft and non-Microsoft browsers and\r\nprocesses.\r\nMicrosoft Defender customers can turn on attack surface reduction rules to prevent common attack\r\ntechniques:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nBlock execution of potentially obfuscated scripts.\r\nAppendix\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails.\r\nSignals from Microsoft Defender for Office 365 inform Microsoft 365 Defender, which correlate cross-domain\r\nthreat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can\r\nbe triggered by unrelated threat activity. Example alerts:\r\nA potentially malicious URL click was detected\r\nEmail messages containing malicious URL removed after delivery\r\nEmail messages removed after delivery\r\nEmail reported by user as malware or phish\r\nMicrosoft Defender SmartScreen\r\nMicrosoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC\r\nsection below. By enabling Network protection, organizations can block attempts to connect to these malicious\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 15 of 47\n\ndomains.\r\nMicrosoft Defender for Endpoint\r\nAside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following\r\nMicrosoft Defender for Endpoint alerts for this attack. Note that these alerts can also be triggered by unrelated\r\nthreat activity. Example alerts:\r\nStar Blizzard activity group\r\nSuspicious URL clicked\r\nSuspicious URL opened in web browser\r\nUser accessed link in ZAP-quarantined email\r\nSuspicious activity linked to a Russian state-sponsored threat actor has been detected\r\nConnection to adversary-in-the-middle (AiTM) phishing site\r\nUser compromised in AiTM phishing attack\r\nPossible AiTM phishing attempt\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nStar Blizzard\r\nDisrupting Star Blizzard’s ongoing phishing operations\r\nStar Blizzard adopting PDF-less approach to spearphishing\r\nStar Blizzard spearphishing campaign targets US think tanks\r\nMicrosoft Defender for Endpoint Threat analytics \r\nThreat Insights: Disrupting Star Blizzard’s ongoing phishing operations\r\nHunting queries  \r\nMicrosoft Sentinel \r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.  \r\nOpen Email Link \r\nSuspicious Url Clicked \r\nDoc attachment with link to download\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 16 of 47\n\nPossible Phishing with CSL \u0026 NetworkSession\r\nPotential DGA detected\r\nPossible DGA Contacts \r\nPotential DGA Detected via Repetitive Failures AnomalyBased\r\nMultiVendor-Possible DGA Contacts\r\nSuccessful Signin From Non-CompliantDevice\r\nRisky User In 3P network activity\r\nIndicators of compromise\r\nDomain infrastructure observed in 2024\r\nDomain name Registrar Registered\r\nconfsendlist[.]org Hostinger UAB 2024/08/27 18:31\r\nasyncmainfunc[.]net Hostinger UAB 2024/08/27 17:52\r\npostpackfull[.]com Realtime Register 2024/08/27 17:26\r\nbootsgatein[.]net Hostinger UAB 2024/08/27 16:36\r\ngetshowprofile[.]com Realtime Register 2024/08/27 15:11\r\nuniversalindospices[.]com Realtime Register 2024/08/26 16:00\r\nnucleareng[.]net Hostinger UAB 2024/08/22 16:48\r\nembriodev[.]org Hostinger UAB 2024/08/22 12:36\r\ncompmatheng[.]com Eranet International  2024/08/21 13:52\r\nbiomechsys[.]org PublicDomainRegistry 2024/08/21 13:02\r\nabstractalg[.]com Hostinger UAB 2024/08/21 11:54\r\nepidemioeng[.]org Hostinger UAB 2024/08/21 11:44\r\nentomoleng[.]org PublicDomainRegistry 2024/08/19 13:52\r\nfirewalliot[.]org Hostinger UAB 2024/08/16 14:28\r\nvidmemax[.]com Hostinger UAB 2024/08/16 09:22\r\nauthadm[.]tools PublicDomainRegistry 2024/08/15 21:35\r\nopiloans[.]com GMO Internet 2024/08/15 03:45\r\nsteeldartpro[.]com GMO Internet 2024/08/15 01:09\r\nmechengsys[.]net Tucows 2024/08/08 15:53\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 17 of 47\n\npoortruncselector[.]com Hostinger UAB 2024/08/01 17:36\r\nkeyvaluepassin[.]net Hostinger UAB 2024/08/01 16:40\r\naeromechelec[.]org Hostinger UAB 2024/07/25 13:46\r\nquantumspherebyteonline[.]org Hostinger UAB 2024/07/22 13:49\r\nbittechxeondynamics[.]org Hostinger UAB 2024/07/22 11:34\r\nsynchrosphere[.]org Hostinger UAB 2024/07/19 17:52\r\nquantumnyx[.]org Hostinger UAB 2024/07/19 16:12\r\nintrosavemsg[.]org Hostinger UAB 2024/07/11 18:20\r\ngrepfileintro[.]net Hostinger UAB 2024/07/11 16:53\r\ninnotechhub[.]net Hostinger UAB 2024/07/09 17:44\r\nnextgenprotocol[.]org Hostinger UAB 2024/07/09 16:57\r\ncyberwaytransfer[.]net Hostinger UAB 2024/07/09 15:55\r\ndentalmag[.]org Hostinger UAB 2024/07/08 17:41\r\neichenfass[.]org Hostinger UAB 2024/07/08 16:18\r\nloyaltyfirst[.]org Hostinger UAB 2024/07/05 18:02\r\ninvestfix[.]org Hostinger UAB 2024/07/03 15:36\r\nspurcapitalconstruction[.]com Hostinger UAB 2024/06/29 09:45\r\nnutritivoybarato[.]com Hostinger UAB 2024/06/29 07:56\r\ncrestwoodtok[.]com Hostinger UAB 2024/06/28 17:29\r\naccountingempowered[.]com Hostinger UAB 2024/06/28 08:53\r\niinguinalhernia[.]com Hostinger UAB 2024/06/28 06:03\r\nabsardeiracargo[.]com Hostinger UAB 2024/06/27 18:18\r\ndestelloideal[.]com Hostinger UAB 2024/06/27 14:33\r\ndontezandkrisselm[.]com Hostinger UAB 2024/06/27 11:45\r\njeredutech[.]com Hostinger UAB 2024/06/26 16:52\r\nmettezera[.]com Hostinger UAB 2024/06/26 16:33\r\nbtxfirewood[.]com Hostinger UAB 2024/06/26 14:34\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 18 of 47\n\nequipemyr[.]com Hostinger UAB 2024/06/25 16:13\r\nvizionviews[.]com Hostinger UAB 2024/06/25 08:03\r\nalonaservices[.]com Hostinger UAB 2024/06/24 19:08\r\ngetvfsmartwatch[.]com Hostinger UAB 2024/06/22 13:43\r\ncellvariedades[.]com Hostinger UAB 2024/06/21 16:55\r\nmashelterssettlement[.]com Hostinger UAB 2024/06/20 17:59\r\nspecialdiskount[.]com Hostinger UAB 2024/06/19 17:07\r\nsinatagotasbrasil[.]com Hostinger UAB 2024/06/19 10:53\r\nyorkviewstating[.]com Hostinger UAB 2024/06/19 09:12\r\nsupermercadolagocalima[.]com Hostinger UAB 2024/06/18 15:11\r\narsenalcaption[.]com Hostinger UAB 2024/06/15 20:02\r\ncarpenterkari[.]com PublicDomainRegistry 2024/06/12 13:58\r\nspandvi[.]com Hostinger UAB 2024/06/11 18:10\r\ncucudor[.]com Hostinger UAB 2024/06/11 16:16\r\nanimalmedic[.]org Hostinger UAB 2024/06/11 15:07\r\nmovercon[.]com Hostinger UAB 2024/06/07 13:11\r\ncrafflights[.]com Hostinger UAB 2024/06/06 16:14\r\npilotsheikh[.]com Hostinger UAB 2024/06/06 10:37\r\nsmlancer[.]com Hostinger UAB 2024/06/06 09:27\r\ncasioakocustom[.]com Hostinger UAB 2024/06/05 15:24\r\nprismhavenphotography[.]com Hostinger UAB 2024/06/04 19:12\r\ndiananithilamills[.]com Hostinger UAB 2024/06/04 15:45\r\negenre[.]net Hostinger UAB 2024/05/19 16:20\r\ncityessentials[.]net Hostinger UAB 2024/05/19 15:30\r\nesestacey[.]net Hostinger UAB 2024/05/19 14:33\r\nseltinger[.]com PublicDomainRegistry 2024/05/16 20:54\r\nlivonereg[.]com PublicDomainRegistry 2024/05/16 20:54\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 19 of 47\n\ngothicshop[.]org Hostinger UAB 2024/05/07 13:14\r\ndirectic[.]net NameCheap 2024/04/25 16:49\r\nsgmods[.]net NameCheap 2024/04/25 14:39\r\ncalmlion[.]org NameCheap 2024/04/18 13:11\r\nmayquarkesthetic[.]com Hostinger UAB 2024/04/08 17:00\r\nxacshop[.]com Hostinger UAB 2024/04/08 13:50\r\nprostrokes[.]net NameCheap 2024/03/29 13:34\r\nimgrich[.]com Hostinger UAB 2024/03/15 14:56\r\neditablezoom[.]org Hostinger UAB 2024/03/15 13:33\r\nPast Star Blizzard domain infrastructure\r\nDomain Registered Registrar\r\nX.509\r\nTLS\r\nCertificate\r\nIssuer\r\nDNS\r\nprovider\r\nresolving\r\ncentralitdef[.]com\r\n2023/04/03\r\n14:29:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nrootgatewayshome[.]com\r\n2023/04/06\r\n16:09:06\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndirectstoragepro[.]com\r\n2023/04/07\r\n14:18:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfocryptoweb[.]com\r\n2023/04/07\r\n14:44:38\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncloudwebstorage[.]com 2023/04/09\r\n14:13:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 20 of 47\n\nEncrypt,\r\nCN=R3\r\ncryptdatahub[.]com\r\n2023/04/10\r\n10:07:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndatainfosecure[.]com\r\n2023/04/10\r\n10:16:20\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nservershieldme[.]com\r\n2023/04/11\r\n07:32:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nscandefinform[.]com\r\n2023/04/12\r\n10:18:26\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nguardittech[.]com\r\n2023/04/12\r\n13:36:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstorageinfohub[.]com\r\n2023/04/14\r\n12:23:02\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocsinfohub[.]com\r\n2023/04/14\r\n16:24:45\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndbasechecker[.]com\r\n2023/04/20\r\n08:31:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndbasecheck[.]com 2023/04/20\r\n08:31:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 21 of 47\n\nEncrypt,\r\nCN=R3\r\ngaterecord[.]com\r\n2023/04/25\r\n14:17:14\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndirectsgate[.]com\r\n2023/04/25\r\n14:17:14\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstorageinformationsolutions[.]com\r\n2023/04/25\r\n15:33:03\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstoragedatadirect[.]com\r\n2023/04/25\r\n15:33:05\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninformationdoorwaycertificate[.]com\r\n2023/04/25\r\n17:50:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndatagatewaydoc[.]com\r\n2023/04/25\r\n17:50:37\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\npanelittechweb[.]com\r\n2023/04/27\r\n12:19:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\npanelitsolution[.]com\r\n2023/04/27\r\n12:19:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeeperdocument[.]com 2023/04/27\r\n14:18:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 22 of 47\n\nEncrypt,\r\nCN=R3\r\nkeeperdocumentgatewayhub[.]com\r\n2023/04/27\r\n14:18:25\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ndocview[.]cloud\r\n2023/05/03\r\n06:33:44\r\nHostinger\r\nUAB\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nprotectitbase[.]com\r\n2023/05/03\r\n09:07:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebcatalogpro[.]com\r\n2023/05/04\r\n09:47:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfoformdata[.]com\r\n2023/05/04\r\n13:13:56\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeydatastorageunit[.]com\r\n2023/05/10\r\n09:20:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocanalizergate[.]com\r\n2023/05/10\r\n15:23:14\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ndocanalizerhub[.]com\r\n2023/05/10\r\n15:23:21\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nhubdatapage[.]com 2023/05/10\r\n16:07:31\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 23 of 47\n\nEncrypt,\r\nCN=R3\r\nskyinformdata[.]com\r\n2023/05/11\r\n11:10:35\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocsaccessdata[.]com\r\n2023/05/11\r\n12:35:02\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndatacryptosafe[.]com\r\n2023/05/11\r\n16:46:00\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncloudsetupprofi[.]com\r\n2023/05/12\r\n15:35:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsetupprofi[.]com\r\n2023/05/12\r\n15:35:52\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nanalyzedatainfo[.]com\r\n2023/05/15\r\n15:30:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfocryptodata[.]com\r\n2023/05/15\r\n16:41:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndatadocsview[.]com\r\n2023/05/16\r\n13:23:38\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngatedocsview[.]com 2023/05/16\r\n13:23:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 24 of 47\n\nEncrypt,\r\nCN=R3\r\nhubinfodocs[.]com\r\n2023/05/16\r\n13:27:07\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nproffsolution[.]com\r\n2023/05/16\r\n14:20:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nproffitsolution[.]com\r\n2023/05/16\r\n14:20:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndefproresults[.]com\r\n2023/05/16\r\n14:20:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngreatnotifyinfo[.]com\r\n2023/05/16\r\n14:55:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntopnotifydata[.]com\r\n2023/05/16\r\n14:55:53\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntopinformdata[.]com\r\n2023/05/16\r\n14:55:58\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndefoffresult[.]com\r\n2023/05/16\r\n15:23:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncloudinfodata[.]com 2023/05/16\r\n15:23:52\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 25 of 47\n\nEncrypt,\r\nCN=R3\r\nwebpartdata[.]com\r\n2023/05/16\r\n15:23:57\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfostoragegate[.]com\r\n2023/05/17\r\n14:41:37\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwardenstoragedoorway[.]com\r\n2023/05/17\r\n15:17:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nmyposcheck[.]com\r\n2023/05/25\r\n08:52:50\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nposcheckdatacenter[.]com\r\n2023/05/25\r\n08:52:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncheckdatapos[.]com\r\n2023/05/25\r\n08:52:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocdatares[.]com\r\n2023/05/26\r\n13:42:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndatawebhub[.]com\r\n2023/05/26\r\n16:28:34\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncloudithub[.]com 2023/05/26\r\n16:28:35\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 26 of 47\n\nEncrypt,\r\nCN=R3\r\nsecitweb[.]com\r\n2023/05/26\r\n16:28:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocumentitsolution[.]com\r\n2023/05/29\r\n13:21:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeeperinformation[.]com\r\n2023/05/29\r\n13:21:48\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebprodata[.]com\r\n2023/05/29\r\n14:28:00\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nclouditprofi[.]com\r\n2023/05/29\r\n14:28:01\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncryptoinfostorage[.]com\r\n2023/05/29\r\n14:34:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nrootinformationgateway[.]com\r\n2023/05/29\r\n14:34:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngatewaydocumentdata[.]com\r\n2023/06/01\r\n14:49:07\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngatewayitservices[.]com 2023/06/01\r\n14:49:17\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 27 of 47\n\nEncrypt,\r\nCN=R3\r\ninfoviewerdata[.]com\r\n2023/06/01\r\n14:59:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfoviewergate[.]com\r\n2023/06/01\r\n14:59:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebitresourse[.]com\r\n2023/06/02\r\n19:35:46\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nhomedocsdata[.]com\r\n2023/06/05\r\n16:05:54\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nhomedocsview[.]com\r\n2023/06/05\r\n16:06:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebdataproceed[.]com\r\n2023/06/08\r\n17:29:54\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndirectkeeperstorage[.]com\r\n2023/06/12\r\n15:47:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngatewaykeeperinformation[.]com\r\n2023/06/12\r\n15:48:01\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nrootgatestorage[.]com 2023/06/12\r\n16:46:02\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 28 of 47\n\nEncrypt,\r\nCN=R3\r\ndocumentinformationsolution[.]com\r\n2023/06/12\r\n16:46:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngetclouddoc[.]com\r\n2023/06/14\r\n10:56:38\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstatusfiles[.]com\r\n2023/06/16\r\n09:49:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebstaticdata[.]com\r\n2023/06/16\r\n09:49:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncloudwebfile[.]com\r\n2023/06/16\r\n09:49:59\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstatuswebcert[.]com\r\n2023/06/16\r\n10:29:57\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nnextgenexp[.]com\r\n2023/06/16\r\n10:29:57\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninformationkeeper[.]com\r\n2023/06/16\r\n14:48:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocumentgatekeeper[.]com 2023/06/16\r\n14:48:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 29 of 47\n\nEncrypt,\r\nCN=R3\r\ncryptogatesolution[.]com\r\n2023/06/16\r\n15:32:31\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nrootgatewaystorage[.]com\r\n2023/06/16\r\n15:32:34\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfoviewstorage[.]com\r\n2023/06/22\r\n12:34:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfoconnectstorage[.]com\r\n2023/06/22\r\n12:34:18\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfolookstorage[.]com\r\n2023/06/22\r\n13:53:04\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\njudicialliquidators[.]com\r\n2023/06/25\r\n11:28:05\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsafetyagencyservice[.]com\r\n2023/06/25\r\n11:28:08\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndynamiclnk[.]com\r\n2023/06/27\r\n13:20:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntemphoster[.]com 2023/06/27\r\n13:20:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 30 of 47\n\nEncrypt,\r\nCN=R3\r\ndocumententranceintelligence[.]com\r\n2023/06/27\r\n17:13:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocumentgateprotector[.]com\r\n2023/06/27\r\n17:13:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nreadinfodata[.]com\r\n2023/06/28\r\n16:09:46\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nreaddatainform[.]com\r\n2023/06/28\r\n16:09:50\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebcryptoinfo[.]com\r\n2023/06/29\r\n12:41:50\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstorageinfodata[.]com\r\n2023/06/29\r\n12:41:50\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeeperdatastorage[.]com\r\n2023/07/03\r\n17:40:16\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeepinformationroot[.]com\r\n2023/07/03\r\n17:40:21\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nkeyservicebar[.]com 2023/07/05\r\n13:25:41\r\nPDR Ltd. C=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 31 of 47\n\nEncrypt,\r\nCN=R3\r\nbitespacedev[.]com\r\n2023/07/05\r\n13:25:43\r\nPDR Ltd.\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncryptodocumentinformation[.]com\r\n2023/07/05\r\n15:04:46\r\nPDR Ltd.\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndirectdocumentinfo[.]com\r\n2023/07/05\r\n15:04:48\r\nPDR Ltd.\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntechpenopen[.]com\r\n2023/07/05\r\n15:49:13\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nloginformationbreakthrough[.]com\r\n2023/07/06\r\n16:01:36\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nalldocssolution[.]com\r\n2023/07/06\r\n16:01:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocumentkeepersolutionsystems[.]com\r\n2023/07/06\r\n18:45:01\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocholdersolution[.]com\r\n2023/07/06\r\n18:45:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfodocitsolution[.]com 2023/07/07\r\n11:00:59\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 32 of 47\n\nEncrypt,\r\nCN=R3\r\nsecurebrowssolution[.]com\r\n2023/07/07\r\n11:00:59\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsecbrowsingate[.]com\r\n2023/07/07\r\n11:18:09\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsecbrowsingsystems[.]com\r\n2023/07/07\r\n11:18:14\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocguardmaterial[.]com\r\n2023/07/10\r\n11:38:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndockeeperweb[.]com\r\n2023/07/10\r\n11:38:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocsecgate[.]com\r\n2023/07/11\r\n13:27:59\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocumentsecsolution[.]com\r\n2023/07/11\r\n13:28:01\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncryptogatehomes[.]com\r\n2023/07/11\r\n17:51:38\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntopcryptoprotect[.]com 2023/07/12\r\n13:03:36\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 33 of 47\n\nEncrypt,\r\nCN=R3\r\nsafedocumentgatesolution[.]com\r\n2023/07/12\r\n13:17:15\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsafedocitsolution[.]com\r\n2023/07/12\r\n13:17:23\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocscontentview[.]com\r\n2023/07/12\r\n15:05:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndocscontentgate[.]com\r\n2023/07/12\r\n15:05:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nopenprojectgate[.]com\r\n2023/07/12\r\n15:30:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ninfowardendoc[.]com\r\n2023/07/12\r\n15:30:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwardensecbreakthrough[.]com\r\n2023/07/12\r\n15:41:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nlawsystemjudgement[.]com\r\n2023/07/12\r\n15:41:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nexplorewebdata[.]com 2023/07/13\r\n08:12:07\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 34 of 47\n\nEncrypt,\r\nCN=R3\r\ndoorwayseclaw[.]com\r\n2023/07/13\r\n13:22:18\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nentryloginpoint[.]com\r\n2023/07/13\r\n13:22:22\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwardenlawsec[.]com\r\n2023/07/13\r\n14:12:32\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nentrygatebreak[.]com\r\n2023/07/13\r\n14:12:32\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndigitalworkdata[.]com\r\n2023/07/13\r\n15:00:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndigitalhubdata[.]com\r\n2023/07/13\r\n15:00:45\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncraftfilelink[.]com\r\n2023/07/13\r\n15:31:00\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncreatetempdoc[.]com\r\n2023/07/13\r\n15:31:00\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nprovideexplorer[.]com 2023/07/13\r\n16:25:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 35 of 47\n\nEncrypt,\r\nCN=R3\r\nreviewopenfile[.]com\r\n2023/07/13\r\n16:25:34\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngovsafebreakthrough[.]com\r\n2023/07/13\r\n16:26:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngovlawentrance[.]com\r\n2023/07/13\r\n16:26:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstoragekeepdirect[.]com\r\n2023/07/13\r\n17:36:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstorageguarddirect[.]com\r\n2023/07/13\r\n17:36:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nstoragekeeperexpress[.]com\r\n2023/07/14\r\n13:27:26\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nonestorageprotectordirect[.]com\r\n2023/07/14\r\n13:27:27\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nlawwardensafety[.]com\r\n2023/07/14\r\n13:41:52\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nentrancequick[.]com 2023/07/14\r\n13:41:53\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 36 of 47\n\nEncrypt,\r\nCN=R3\r\nseclawdoorway[.]com\r\n2023/07/14\r\n15:28:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwardengovermentlaw[.]com\r\n2023/07/14\r\n15:28:43\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngetvaluepast[.]com\r\n2023/07/14\r\n16:14:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntransferlinkdata[.]com\r\n2023/07/14\r\n16:14:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nremcemson[.]com\r\n2023/07/26\r\n11:25:48\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nosixmals[.]com\r\n2023/07/26\r\n11:25:56\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nentranceto[.]com\r\n2023/07/28\r\n12:26:15\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngovermentsecintro[.]com\r\n2023/07/28\r\n12:26:17\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nitbugreportbeta[.]com 2023/07/28\r\n13:06:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 37 of 47\n\nEncrypt,\r\nCN=R3\r\ntheitbugreportbeta[.]com\r\n2023/07/28\r\n13:06:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nsockintrodoorway[.]com\r\n2023/07/28\r\n13:21:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nmaxintrosec[.]com\r\n2023/07/28\r\n13:21:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ndoorgovcommunity[.]com\r\n2023/07/28\r\n15:11:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntarentrycommunity[.]com\r\n2023/07/28\r\n15:11:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nwebfigmadesignershop[.]com\r\n2023/07/28\r\n16:09:07\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nwebfigmadesigner[.]com\r\n2023/07/28\r\n16:09:11\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nlogincontrolway[.]com\r\n2023/07/28\r\n16:35:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nvertransmitcontrol[.]com 2023/07/28\r\n16:35:44\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 38 of 47\n\nEncrypt,\r\nCN=R3\r\neveryinit[.]com\r\n2023/08/09\r\n13:56:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\naliceplants[.]com\r\n2023/08/09\r\n17:22:26\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncountingtall[.]com\r\n2023/08/09\r\n17:22:30\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nsilenceprotocol[.]com\r\n2023/08/10\r\n12:32:10\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nmintwithapples[.]com\r\n2023/08/10\r\n12:32:15\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nwinterholds[.]com\r\n2023/08/10\r\n12:53:29\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nziplinetransfer[.]com\r\n2023/08/10\r\n16:47:53\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ntranslatesplit[.]com\r\n2023/08/10\r\n16:47:53\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngetfigmacreator[.]com 2023/08/11\r\n13:13:20\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 39 of 47\n\nEncrypt,\r\nCN=R3\r\npostrequestin[.]com\r\n2023/08/11\r\n13:13:23\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntarifjane[.]com\r\n2023/08/17\r\n14:05:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nconfiglayers[.]com\r\n2023/08/17\r\n14:05:48\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nwinterhascometo[.]com\r\n2023/08/17\r\n16:21:43\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ninyourheadexp[.]com\r\n2023/08/17\r\n16:21:43\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nglorybuses[.]com\r\n2023/08/18\r\n15:27:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\njaneairintroduction[.]com\r\n2023/08/18\r\n15:27:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nvikingonairplane[.]com\r\n2023/08/18\r\n16:19:48\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nmarungame[.]com 2023/08/18\r\n16:19:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 40 of 47\n\nEncrypt,\r\nCN=R3\r\nvictorinwounder[.]com\r\n2023/08/21\r\n16:14:48\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\npaneindestination[.]com\r\n2023/08/21\r\n16:15:02\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ntrastamarafamily[.]com\r\n2023/08/22\r\n11:20:22\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nterritoryedit[.]com\r\n2023/08/22\r\n11:20:24\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nvectorto[.]com\r\n2023/08/24\r\n09:40:49\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\njohnysadventure[.]com\r\n2023/08/24\r\n09:40:54\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\npaternenabler[.]com\r\n2023/08/25\r\n14:40:31\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nfastnamegenerator[.]com\r\n2023/08/25\r\n14:40:35\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nliterallyandme[.]com 2023/08/28\r\n13:21:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 41 of 47\n\nEncrypt,\r\nCN=R3\r\nandysalesproject[.]com\r\n2023/08/28\r\n13:21:34\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\npandawithrainbow[.]com\r\n2023/08/28\r\n17:08:58\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nnatalyincity[.]com\r\n2023/08/29\r\n15:25:02\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nmachinerelise[.]com\r\n2023/09/01\r\n16:29:09\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nindustrialcorptruncate[.]com\r\n2023/09/01\r\n16:30:07\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nconstructionholdingnewlife[.]com\r\n2023/09/07\r\n14:00:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nadventuresrebornpanda[.]com\r\n2023/09/07\r\n14:00:55\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncryingpand[.]com\r\n2023/09/13\r\n13:10:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nindustrialwatership[.]com 2023/09/13\r\n13:10:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\n \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 42 of 47\n\nEncrypt,\r\nCN=R3\r\nolohaisland[.]com\r\n2023/09/13\r\n14:25:35\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nvoodoomagician[.]com\r\n2023/09/13\r\n14:25:36\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nnewestchairs[.]com\r\n2023/09/14\r\n11:24:47\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncpuisocutter[.]com\r\n2023/09/14\r\n12:37:53\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nincorpcpu[.]com\r\n2023/09/14\r\n12:37:57\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ngulperfish[.]com\r\n2023/09/14\r\n14:00:25\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nleviathanfish[.]com\r\n2023/09/14\r\n14:00:25\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ntruncationcorp[.]com\r\n2023/09/14\r\n14:05:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ngzipinteraction[.]com 2023/09/14\r\n14:05:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 43 of 47\n\nEncrypt,\r\nCN=R3\r\nghostshowing[.]com\r\n2023/09/14\r\n16:10:42\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nhallowenwitch[.]com\r\n2023/09/14\r\n16:10:43\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncertificatentrance[.]com\r\n2023/09/19\r\n08:18:39\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\napiwebdata[.]com\r\n2023/10/02\r\n14:59:14\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\napidatahook[.]com\r\n2023/10/04\r\n15:45:19\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\napireflection[.]com\r\n2023/10/04\r\n15:45:25\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nprotectionoffice[.]tech\r\n2023/10/05\r\n11:33:46\r\nHostinger\r\nUAB\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nlazyprotype[.]com\r\n2023/10/11\r\n11:52:18\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nangelicfish[.]com 2023/10/13\r\n17:57:29\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 44 of 47\n\nEncrypt,\r\nCN=R3\r\nglobalyfish[.]com\r\n2023/10/13\r\n17:57:31\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nmedicprognosis[.]com\r\n2023/10/16\r\n14:36:32\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nmedicoutpatient[.]com\r\n2023/10/16\r\n14:36:41\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nkrakfish[.]com\r\n2023/10/17\r\n17:09:29\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nstingrayfish[.]com\r\n2023/10/17\r\n17:09:31\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nincorpreview[.]com\r\n2023/10/17\r\n18:27:09\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ntruncatetrim[.]com\r\n2023/10/17\r\n18:27:11\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncorporatesinvitation[.]com\r\n2023/10/18\r\n14:48:54\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ntriminget[.]com 2023/10/18\r\n17:31:40\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nYes\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 45 of 47\n\nEncrypt,\r\nCN=R3\r\nfirewitches[.]com\r\n2023/10/19\r\n10:40:51\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nsolartemplar[.]com\r\n2023/10/19\r\n10:40:52\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nencryptionrenewal[.]com\r\n2023/10/20\r\n13:36:24\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nsslkeycert[.]com\r\n2023/10/20\r\n13:36:24\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\nbarbarictruths[.]com\r\n2023/10/23\r\n07:37:30\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncastlefranks[.]com\r\n2023/10/23\r\n07:37:33\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\nYes\r\ncomintroduction[.]com\r\n2023/10/24\r\n14:01:11\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\ncorpviewer[.]com\r\n2023/10/31\r\n13:10:38\r\nNameCheap,\r\nInc\r\nC=US,\r\nO=Let’s\r\nEncrypt,\r\nCN=R3\r\n \r\nStar Blizzard HubSpot campaign domains:\r\ndjs53104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 46 of 47\n\ndjr6t104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\ndjrzf704[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\ndjskzh04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\ndjslws04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\ndjs36c04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023\r\ndjt47x04[.]eu1[.]hubspotlinksfree[.]com – used in September 2023\r\ndjvcl404[.]eu1[.]hubspotlinksfree[.]com – used in October 2023\r\nd5b74r04[.]na1[.]hubspotlinksfree[.]com – used in October 2023\r\ndjvxqp04[.]eu1[.]hubspotlinksfree[.]com – used in October 2023\r\nStar Blizzard MailerLite campaign domain:\r\nydjjja[.]clicks[.]mlsend[.]com – used in September 2023\r\nReferences\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nhttps://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest\r\nhttps://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/\r\nPage 47 of 47",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
	],
	"report_names": [
		"star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775792083,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7faa0cff1e6fc7881b39b8f16e820dfbe9248b2e.pdf",
		"text": "https://archive.orkl.eu/7faa0cff1e6fc7881b39b8f16e820dfbe9248b2e.txt",
		"img": "https://archive.orkl.eu/7faa0cff1e6fc7881b39b8f16e820dfbe9248b2e.jpg"
	}
}