{ "id": "48549108-bea8-4629-8126-e99941cbab52", "created_at": "2026-04-06T00:14:42.954478Z", "updated_at": "2026-04-10T03:21:34.773994Z", "deleted_at": null, "sha1_hash": "91a82bcdb6ab63e882a10075be287ec8f1c33606", "title": "CISA updates Conti ransomware alert with nearly 100 domain names", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1677229, "plain_text": "CISA updates Conti ransomware alert with nearly 100 domain names\r\nBy Ionut Ilascu\r\nPublished: 2022-03-10 · Archived: 2026-04-05 18:56:42 UTC\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated the alert on Conti ransomware with\r\nindicators of compromise (IoCs) consisting of close to 100 domain names used in malicious operations.\r\nOriginally published on September 22, 2021, the advisory includes details observed by CISA and the Federal Bureau of\r\nInvestigation (FBI) in Conti ransomware attacks targeting organizations in the U.S. The updated cybersecurity advisory\r\ncontains data from the U.S. Secret Service.\r\nConti IoC domains\r\nInternal details from the Conti ransomware operation started to leak at the end of February after the gang announced\r\npublicly that they side with Russia over the invasion of Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe leak came from a Ukrainian researcher, who initially published private messages exchanged by the members of the gang\r\nand then released the source code for the ransomware, administrative panels, and other tools.\r\nThe cache of data also included domains used for compromises with BazarBackdoor, the malware used for initial access to\r\nnetworks of high-value targets.\r\nCISA says that Conti threat actor has hit more than 1,000 organizations across the world, the most prevalent attack vectors\r\nbeing TrickBot malware and Cobalt Strike beacons.\r\nThe agency today released a batch of 98 domain names that share “registration and naming characteristics similar” to those\r\nused in Conti ransomware attacks from groups distributing the malware.\r\nThe agency notes that while the domains have been used in malicious operations some of them “may be abandoned or may\r\nshare similar characteristics coincidentally.”\r\nDomains\r\nbadiwaw[.]com\r\nbalacif[.]com\r\nbarovur[.]com\r\nbasisem[.]com\r\nbimafu[.]com\r\nbujoke[.]com\r\nbuloxo[.]com\r\nbumoyez[.]com\r\nbupula[.]com\r\ncajeti[.]com\r\ncilomum[.]com\r\ncodasal[.]com\r\ncomecal[.]com\r\ndawasab[.]com\r\nderotin[.]com\r\ndihata[.]com\r\ndirupun[.]com\r\ndohigu[.]com\r\ndubacaj[.]com\r\nfecotis[.]com\r\nfipoleb[.]com\r\nfofudir[.]com\r\nfulujam[.]com\r\nganobaz[.]com\r\ngerepa[.]com\r\ngucunug[.]com guvafe[.]com\r\nhakakor[.]com\r\nhejalij[.]com\r\nhepide[.]com\r\nhesovaw[.]com\r\nhewecas[.]com\r\nhidusi[.]com\r\nhireja[.]com\r\nhoguyum[.]com\r\njecubat[.]com\r\njegufe[.]com\r\njoxinu[.]com\r\nkelowuh[.]com\r\nkidukes[.]com\r\nkipitep[.]com\r\nkirute[.]com\r\nkogasiv[.]com\r\nkozoheh[.]com\r\nkuxizi[.]com\r\nkuyeguh[.]com\r\nlipozi[.]com\r\nlujecuk[.]com\r\nmasaxoc[.]com\r\nmebonux[.]com\r\nmihojip[.]com\r\nmodasum[.]com\r\nmoduwoj[.]com\r\nmovufa[.]com\r\nnagahox[.]com\r\nnawusem[.]com\r\nnerapo[.]com\r\nnewiro[.]com\r\npaxobuy[.]com\r\npazovet[.]com\r\npihafi[.]com\r\npilagop[.]com\r\npipipub[.]com\r\npofifa[.]com\r\nradezig[.]com\r\nraferif[.]com\r\nragojel[.]com\r\nrexagi[.]com\r\nrimurik[.]com\r\nrinutov[.]com\r\nrusoti[.]com\r\nsazoya[.]com\r\nsidevot[.]com\r\nsolobiv[.]com\r\nsufebul[.]com\r\nsuhuhow[.]com\r\nsujaxa[.]com\r\ntafobi[.]com tepiwo[.]com\r\ntifiru[.]com\r\ntiyuzub[.]com\r\ntubaho[.]com\r\nvafici[.]com\r\nvegubu[.]com\r\nvigave[.]com\r\nvipeced[.]com\r\nvizosi[.]com\r\nvojefe[.]com\r\nvonavu[.]com\r\nwezeriw[.]com\r\nwideri[.]com\r\nwudepen[.]com\r\nwuluxo[.]com\r\nwuvehus[.]com\r\nwuvici[.]com\r\nwuvidi[.]com\r\nxegogiv[.]com\r\nxekezix[.]com\r\nThe above list of domains associated with Conti ransomware attacks appear to be different from the hundreds that the\r\nUkrainian researcher leaked from BazarBackdoor infections.\r\nDespite the unwanted attention that Conti received recently due to the exposure of its internal chats and tools, the gang did\r\nnot pull the brakes on its activity.\r\nSince the beginning of March, Conti listed on its website more than two dozen victims in the U.S. Canada, Germany,\r\nSwitzerland, U.K., Italy, Serbia, and Saudi Arabia.\r\nhttps://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/\r\nhttps://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/" ], "report_names": [ "cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names" ], "threat_actors": [], "ts_created_at": 1775434482, "ts_updated_at": 1775791294, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91a82bcdb6ab63e882a10075be287ec8f1c33606.pdf", "text": "https://archive.orkl.eu/91a82bcdb6ab63e882a10075be287ec8f1c33606.txt", "img": "https://archive.orkl.eu/91a82bcdb6ab63e882a10075be287ec8f1c33606.jpg" } }