Jigsaw John

@Cyber0verload @ET_Labs @500mk500 + gustavas[.ru fausts[.ru

#APT #Gamaredon #PrimitiveBear 🤡 🛸VT undetected: 0/0 ☘️Created: May 🌐TLD: .ru rashidiso[.]ru panahaziso[.]ru neferzi[.]ru nebtoizi[.]ru nebibizi[.]ru nahtizi[.]ru naborzi[.]ru minkazi[.]ru mhotepzi[.]ru @ET_Labs @500mk500

#Gamaredon #APT domains mudadazi[.ru luzidzhso[.ru muhvanazi[.ru neythzi[.ru And some active IPs 185.39.207.11 178.128.80.120 193.228.128.6 139.59.228.153 77.105.136.204 <- unsual provider AS207651 aka @vdsina 77.246.98.78 62.84.96.161 @Cyber0verload @500mk500 @ET_Labs

#Gamaredon #APT domains, common naming style menesso[.ru kuaashiso[.ru lizimbaso[.ru koseyso[.ru mbiziso[.ru kontarso[.ru maatso[.ru And some active IPs 78.153.139.42 146.190.128.157 146.190.44.22 159.223.75.181 64.227.102.216 147.182.241.170 @500mk500 @Cyber0verload @ET_Labs

Daily #Gamaredon #APT domains. Generous amount of 🤡 activity today. Nice! kemnebipa[.ru idogbpa[.ru imenandpa[.ru porotad[.ru galofad[.ru dzhibeydpa[.ru mensaso[.ru dzhumoukpa[.ru knemuso[.ru @500mk500 @Cyber0verload @ET_Labs

Daily #Gamaredon #APT domains karoanpa[.ru ishakpa[.ru dakareypa[.ru Interesting to see some persistent turkic-fashion in 2022-2023 domains such as turkic and muslim-related names and words like ishak, kafir, Rustam, etc @500mk500 @Cyber0verload @ET_Labs

@Cyber0verload @500mk500 @ET_Labs *deploying more and more malicious infrastructure Sure, can't tweet without a typo 🙃

Daily #Gamaredon #APT domains. After April operations slowdown, FSB shows nice pace these days, deploting more and more malicious infrastructure every day keymnvatipa[.ru kafiripa[.ru donkorpa[.ru kemoziripa[.ru butiram[.ru badarus[.ru @Cyber0verload @500mk500 @ET_Labs

#Gamaredon #APT fresh domains (created May 2023). Good old pseudo-DGA style dzhabaripa[.ru goruspa[.ru dzhahipa[.ru iknatonpa[.ru zuberipa[.ru kaziyapa[.ru zaherpa[.ru kahotepa[.ru #PrimitiveBear #TridentUrsa @Cyber0verload @500mk500 @ET_Labs

Active #Gamaredon #APT infrastructure 185.247.184.103 185.247.184.101 167.172.154.5 206.189.12.131 185.247.184.102 193.149.176.118 162.33.178.52 <- already39[.brudimar.ru ongoing campaign on the fresh domain from one of my prev tweets 🙂 @500mk500 @Cyber0verload @ET_Labs

And some #Gamaredon #APT active infrastructure. @digitalocean (at most) business as usual🙃 193.149.180.132 164.90.233.13 170.64.134.168 147.182.160.122 104.248.148.95 192.241.136.125 165.232.82.235 170.64.180.56 162.33.178.82 162.33.178.23 @500mk500 @Cyber0verload @ET_Labs

After a short break, #Gamaredon slightly increased their activity, creating a bunch of new malicious domains haramad[.ru lotgunok[.ru saturnec[.ru brudimar[.ru vloperang[.ru weratas[.ru banrasac[.ru norasold[.ru amoresa[.ru @500mk500 @Cyber0verload @ET_Labs

Daily #Gamaredon with the few new domains zeraon[.ru farukend[.ru Active infrastructure 143.244.168.12 165.232.148.157 165.227.81.59 167.99.9.163 162.33.177.147 204.48.16.4 134.209.218.236 194.87.45.49 164.90.148.202 167.172.34.185 @500mk500 @Cyber0verload @ET_Labs

Active #Gamaredon infra to track (Apr 30 - May 1) 170.64.160.67 84.32.131.66 64.52.80.126 134.122.77.158 68.183.131.231 45.61.138.92 67.205.178.50 64.226.96.179 134.209.115.37 128.199.8.231 170.64.128.193 139.59.116.50 142.93.232.180 @500mk500 @Cyber0verload @ET_Labs

Despite the public holiday in Russia, FSB guys from #Gamaredon 🤡 are getting hands dirty today with a few new domains absorbeni[.]ru boskatrem[.]ru lopraner[.]ru malived[.]ru taramis[.]ru @500mk500 @Cyber0verload @ET_Labs

#Gamaredon seems to be on weekeend, so no new domains for today, but here is some active infra 46.101.160[.244 159.89.205[.135 143.244.152[.233 170.64.174[.17 5.44.42[.119 5.44.42[.120 84.32.131[.60 81.19.140[.131 168.100.10[.239 164.92.174[.73 @500mk500 @Cyber0verload @ET_Labs

Daily #Gamaredon with novice BLNWX as an infra choice. (Btw, is this bitlauch related? 🤔) squeamish[.]ru stupendous[.]ru scattered[.]ru 168.100.10[.180 143.110.150[.224 165.232.165[.42 165.22.6[.62 5.44.42[.116 170.64.176[.71 162.33.178[.242 @500mk500 @Cyber0verload @ET_Labs

Daily #Gamaredon new domains + active infrastructure succinct[.]ru <- campaign ongoing now at position71[.]succinct[.]ru decorous[.]ru judicious[.]ru 146.190.48[.]240 199.247.10[.]72 128.199.199[.]39 212.18.104[.]28 78.141.202[.]70 @500mk500 @Cyber0verload @ET_Labs

Active #Gamaredon #APT infra to track + few new domains nahalx[.]ru baraslx[.]ru 170.64.132[.]183 137.184.9[.]252 146.190.104[.]237 68.183.122[.]121 195.133.88[.]63 178.128.53[.]132 143.244.184[.]231 164.92.96[.]103 195.133.88[.]49 @500mk500 @Cyber0verload @ET_Labs

#Gamaredon #APT still very active today, rolling back to the "eng-adjective" naming style. Curious if their naming scheme identifies some specific campaign 🤔 maniacal[.]ru unequaled[.]ru adjoining[.]ru unwieldy[.]ru lokalut[.]ru suizibel[.]ru @500mk500 @Cyber0verload @ET_Labs

@Cyber0verload Awesome work! Btw, AS49505 is higly likely reg.ru parked domain dummy IP 🙂

Last week #Gamaredon active infra 🎯 Total IP: 188 VT Detections: 🟢101 🔴87 ASNs: AS14061 DigitalOcean, LLC AS20473 The Constant Company, LLC AS207713 GLOBAL INTERNET SOLUTIONS LLC AS16125/204770 UAB Cherry Servers AS49505 OOO "Selectel" Full List: pastebin.com/ZrcjYTVL