{
	"id": "2f418518-17f6-45b6-ab95-73a5405be6ce",
	"created_at": "2026-04-06T00:15:33.02201Z",
	"updated_at": "2026-04-10T03:24:24.597628Z",
	"deleted_at": null,
	"sha1_hash": "c201cc3bbeda4d871abf68131d5063ca67cd8b60",
	"title": "Revealing REvil Using DomainTools and Maltego",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 133680,
	"plain_text": "Revealing REvil Using DomainTools and Maltego\r\nBy Chad Anderson\r\nArchived: 2026-04-05 12:40:11 UTC\r\nRevealing REvil Ransomware With DomainTools and Maltego\r\nLooking at a Recent REvil (AKA Sodinokibi) Ransomware Indicator Set in\r\nMaltego Using the DomainTools Transforms\r\nAccording to a recent report by Symantec Enterprise Security, the REvil ransomware operators have been seen\r\nleveraging Cobalt Strike and scanning for vulnerable Point-of-Sale systems. The attackers are utilizing a mixture\r\nof AWS CloudFront for C2 and Pastebin for storing their payloads. Leveraging legitimate services here makes it\r\ndifficult for incident responders to react as any number of things may rapidly shift as infrastructure can be quickly\r\nspun up, torn down, and modified on cloud services with a host of modern configuration management tooling.\r\nHowever, the report included three IP addresses that can be investigated to provide more insight. With\r\nransomware on the rise again, it’s important to do proper due diligence to see what else one can discover behind\r\nthis single instance. I’ll do so by leveraging the DomainTools data set and Maltego to visually map out my\r\nresearch.\r\nFirst, the domains and IP addresses released in the report were:\r\n102.129.224[.]148\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 1 of 6\n\n23.81.143[.]21\r\n5.101.0[.]202\r\nd2zblloliromfu.cloudfront[.]net\r\nAlthough not directly mentioned in the report, it is helpful to time gate when this attack occurred to limit the scope\r\nof research. Since cloud services can shift at any moment (and indeed that CloudFront address for instance has\r\nhad hundreds of allocations since January 2020), placing a barrier around the research will help separate signals\r\nfrom noise. As this report was released in late June 2020, I’m going to assume that the attacks took place after\r\nApril of 2020. The reason I’m choosing this date is due to a bit of domain knowledge as a security professional:\r\nthere are multiple reports that came out during the height of COVID-19 that indicated the group behind REvil\r\nwere leveraging COVID-19-themed lures and attacking medical infrastructure with great effect. I can make an\r\neducated guess that at least one associate has shifted their targets now that the effectiveness of those lures is\r\ndrying up.\r\nAn additional note before I begin: REvil samples usually contain thousands of domains used for C2, many\r\nunregistered and suspected decoys. The group is advanced in that there are a swath of methods used for exploiting\r\nvictims and moving laterally in victim’s networks with more than a dozen tools used to do so. They adapt their\r\ntechniques for each organization they attack and evolve with each unique campaign. If you are looking to track\r\nREvil beyond understanding a single campaign event then I would suggest reading KPN’s excellent write-up on\r\ntracking the group across hundreds of individual campaigns. If you are looking for a write-up of how a singular\r\nsample works I cannot recommend McAfee’s analysis enough.\r\nInvestigating with Iris and Maltego\r\nSo to start, I’ll import these four entities from the report into Maltego. The paste function does a good job here of\r\nfiguring out what types of entities these are.\r\nFrom there I’ll run a reverse lookup, marked under the DomainTools Iris transforms as “IP Address to Domain” to\r\nget several domains to begin our searching.\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 2 of 6\n\nFrom a quick look at the entity details brought in from the Iris transforms I noticed that the domains in the CN\r\nTLD are all from 2016 and before. Since I’m time gating our investigation I’ll take a look at just the\r\ndoomvoid[.]com domain then. Running that through the Farsight Passive DNS transform, I get a number of\r\nsuspicious domains that fall within the time constraints.\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 3 of 6\n\nThe fact that this domain is running its own nameservers is suspicious enough with how often nameservers are\r\nnow used for C2 signaling. The vedit-setfacl is interesting as that references in setfacl a Linux command used to\r\nset file access control lists and seems an odd error or perhaps a command mistype that ended up being picked up\r\nby a recursive resolver’s passive DNS sensor. Outside of those, both the abelian-don and mil-monstrous\r\nsubdomains seem the most suspicious. Polling Farsight again for A records linked to those subdomains, I get two\r\nnew IP addresses for this investigation.\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 4 of 6\n\nOut of those two new addresses, the only one that returns any additional context in our time frame is the\r\n5[.]101[.]0[.]206 address which I can pull a domain vila[.]website from using the Iris Investigate transform once\r\nagain. This site, registered in May of 2020 through reg.ru had a DomainTools Risk score of 93 out of 99 with a\r\nhigh chance of malware. This algorithm takes into account nearby domains, infrastructure this domain sits on, and\r\nits history to determine the likelihood of its potential for maliciousness. 93 is considered a very high likelihood\r\nfrom the DomainTools machine learning classifiers. This may be in part due to the IP addresses associated existing\r\non the Petersburg Internet Network, a Russia-based ISP located in Saint Petersburg from which malicious traffic\r\nhas been observed in the past. Knowing that the REvil group is suspected to be Russia based, the high likelihood\r\nof malicious traffic from this network, and our timeframe I can do a search for all Farsight Passive DNS query sets\r\nin that time frame for a[.]vila[.]website and I’ll get back four IPs in total.\r\n5.8.54[.]52\r\n5.101.0[.]206\r\n5.8.55[.]43\r\n5.101.6[.]227\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 5 of 6\n\nFrom here, outside of these IP addresses being on the same network as our original indicators, unfortunately, I\r\ncannot do much more to tie these to additional indicators or past reports. From this point, I can see that all of the\r\nIPs were likely linked during the same timeframe, but all there is left to do is monitor for maliciousness.\r\nWith each REvil associate and attack being well contained and with some instances being hosted on constantly\r\nshifting cloud infrastructure it’s important to become adept at mapping out an attack as quickly as possible in\r\nsome visual form that can be passed along to leadership. Leveraging Maltego, the Iris Investigate transform, and\r\nother transforms at my disposal I can rapidly build out a report in Maltego for export.\r\nLearn more about streamlined incident response with DomainTools and Maltego:\r\nLearn More\r\nSource: https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nhttps://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego"
	],
	"report_names": [
		"revealing-revil-ransomware-with-domaintools-and-maltego"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c201cc3bbeda4d871abf68131d5063ca67cd8b60.pdf",
		"text": "https://archive.orkl.eu/c201cc3bbeda4d871abf68131d5063ca67cd8b60.txt",
		"img": "https://archive.orkl.eu/c201cc3bbeda4d871abf68131d5063ca67cd8b60.jpg"
	}
}