Open in app

Sign up

Sign in

Write

Sign up

Sign in

Infrastructure Analysis: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023–4966 Citrix Bleed Vulnerability

Joshuapenny
OSINT TEAM
Published in
13 min readNov 24, 2023

--

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

Authors: Joshua Penny, Michael Koczwara

Tools used: Shodan, Censys, VirusTotal, UrlScan, Validin, Maltego

Summary

In this blog post, we’re going to take a look at the recent IOCs provided by Boeing in the joint CISA/FBI/ACSC report. LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances. The report contains useful information on TPPs and technical information on the vulnerability. However, we will focus only on Tables 1–5 from affiliate campaigns. The aim is to identify other infrastructure linked to these affiliates and to track current and future activity whilst detailing our approach in the process.

Diamond Model

Campaign Analysis

The first analysis we conducted began at Table 1 in the report:

Ok let’s map this out in Maltego:

Ok, straight away when annotating this initial graph, we can make some very quick and interesting observations:

  1. Chang Way involvement on a High fidelity IP address. For anyone who hasn’t read Josh’s first blog, this hosting provider was attributed to the exploitation of a previous Citrix vulnerability: CVE-2023–3519, that implanted webshells on Citrix Netscaler gateways. You can read it here: https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65. Anyone with a Citrix device should definitely block any and all connectivity to this ASN(57523). Ok, everyone else should too. IP 62.233.50[.]25 is associated with SIERRA LLC, which is leasing IP space from Chang Way Technologies. The FTP connectivity on 193.201.9[.]224 (high fidelity) is also on Chang Way Technologies. This ASN has previously been associated with BlackByte ransomware affiliates hosting victim data and now LockBit 3.0 for the exploitation of Citrix vulnerabilities. Other activities also include bulletproof hosting, run by the individual named “processor”.
  2. In addition to being associated with Chang Way, 62.233.50[.]25 is also a Covenant Command and Control (C2) server. “Covenant is a . NET command and control framework that aims to highlight the attack surface of . NET, make the use of offensive . NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.” — https://github.com/cobbr/Covenant
  3. The TeamViewer IP address 185.17.40[.]178, whilst low fidelity, has some interesting fingerprints that may assist in increasing the connections to this affiliate.

So now, let’s look into these observations further.

Covenant — 62.233.50[.]25

First, let’s punch this IP into VirusTotal:

Firstly, we can observe some very recent PowerShell and .exe files. We can see the same URL path from our first diagram in the relations tab.

Additionally, payload_1.exe is labelled as Covenant, loaded by the first PowerShell script:

Additionally, within the comments section we can see that this IP address was already listed as part of Citrix brute-forcing by Rapid7 which ultimately Akira and LockBit 3.0 ransomware: https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/. The writeup details how 11 customers “experienced Cisco ASA-related intrusions between March 30 and August 24, 2023.” A number of the IP addresses listed in this report are hosted on the following hosting providers:

  • Chang Way Technologies Co. Limited
  • Flyservers S.A.
  • Xhost Internet Solutions Lp
  • NForce Entertainment B.V.
  • VDSina Hosting

These are all well-known to be associated with malicious activity. Another interesting indicator to add to our investigation: “WIN-R84DEUE96RB”. Rapid7 also linked the increased scanning activity with a dark web post by an Initial Access Broker (IAB) Bassterlord selling a guide on brute forcing Citrix VPNs for $10k which was subsequently leaked.

Censys and Shodan have also handily labelled this first IP as a C2 and on port 7443. Another clear indicator is the SSL Issuer and Subject fields containing default values of “Covenant”.

Censys:

Shodan:

This is a very straight forward hunt analytic for Covenant C2, with Shodan and Censys even doing the job for us. However, to really dig a little deeper into this specific configuration we will need more information than that. Using available information from our initial IP address we can identify 24 additional servers in Shodan and 14 in Censys, matching our affiliate C2: try using SSL jarm, banner info and a few more criteria to see if you can get the same results!

Atera

The Atera IP Address is hosted on Microsoft and as an exercise, we can see all the other Atera servers hosted by Microsoft here:

TeamViewer

Ok, let’s look at its RMM-partner-in-crime, TeamViewer.

Now, this was a “Low fidelity” IP, but it was a high-interest pivot. For the observant, we gave the clue away in the first image. A banner hash for SSH (port 22). As a reminder, this is a hash that results from a mathematical calculation based on client-server negotiations. Let’s open up this can of worms.

By using the SSH banner hash we can return 111 results in Censys, so let’s break these findings down.

There is a clear distinction that the SSH fingerprint can be found on 2 main hosting providers, M247 and ARTNET however, not exclusively. We can also identify a number of services and labels to continue our investigation. The first step we took was to identify any correlation between IP and malware or post-exploitation tooling:

We were able to identify 111 servers with 31 acting as C2’s for a wide range of malicious files. There is a notable concentration of servers linked to BumbleBee, Raccoon Stealer, Record Breaker and Solarmarker and a number of these IP addresses are clean in VirusTotal. Additionally, one IP address has been labelled by the community as involved in VPN exploitation. However, there are more findings outside of identification of command and control servers.

Email servers

The table below shows the DNS names of the email servers:

However, this doesn’t identify all domains associated with these servers. We ran a similar search in Censys but focused in on the SSL subject common name to identify the cluster of domains to narrow in on:

There is an interesting connection between a number of these domains, namely the ones with the “.com” TLD. Using a tool such as Validin, we can identify connecting attributes for these hostnames such as the first and last seen date and Name Servers. The earliest observed date for these domains is 20/10/2023, they are all registered with Namecheap and have DNS A records on dns1. and dns2. Registrar-servers.com. For example:

Additionally, most of the domains are tagged as malicious by a small number of AV vendors.

However, despite further investigation, we currently stopped at the below screenshots in VirusTotal showing a number of different URL paths which appear to be DGA names. At the time of this investigation we could not identify or correlate this with other indicators however we welcome other researchers input.

What was interesting in VirusTotal was all of the scanned URLs there were no appearances of any malicious files or submitted emails to help with our assessment.

The other interesting finding we uncovered was a Login panel that whilst labelled as malicious, we were unable to uncover further information on:

Even the login panel is very generic and doesn’t contain any identifiable features to indicate a service or function:

FTP

On to the “High Fidelity” FTP IP address also hosted on Chang Way:

Using similar techniques, we can also pivot and focus in on servers that may display similar characteristics to the initial IP, allowing us to cluster other possible servers to the same activity or actor. For this server, we are able to identify additional servers potentially linked to LockBit utilising available criteria in Censys:

Interestingly, all 3 IP addresses are hosted on SELECTEL in Moscow and St. Petersburg, Russia. Additionally, 193.201.9[.]225 is only one IP address up from our original IP on the same subnet. This is a good indication we are onto something with this pivot.

Another IP identified running the same SSL Certificate Subject Name and Issuer was 92.53.65[.]97. This IP address is running an AnyDesk Client on port 7070. This IP is also hosted on SELECTEL.

RDP

Last but not least, the TeamViewer IP also had port 3389 (RDP) open using the same PASCAL certificate. If we build another hunt rule around the SSL cert, ports and other criteria, we can also identify 36 servers all hosted on the Hosting Provider SELECTEL:

After a quick check of these IPs in VirusTotal, 3 interesting IPs standout. These IPs are all associated with Avaddon Ransomware and have similar files all communicating in February 2023. These IPs contain the same RDP configurations as the TeamViewer IP address for our LockBit affiliate. This could indicate previous activity with Avaddon prior to working with LockBit.

WIN-R84DEUE96RB

When checking for the Windows name in Censys, we return 790 results hosted mainly on VDSINA. However, two results can be highlighted using the “security-tool” label. Censys shows both of these IP addresses running Metasploit and Acunetix:

Our next piece of analysis was on Table 4.

The table contains 3 “high fidelity” IP addresses but our finding revolves around IP 81.19.135[.]220 and 81.19.135[.]226. Let’s start by looking at the first in Censys:

Having a look at VirusTotal only shows an association with LockBit, 1 day ago. However, we have been tracking this IP address and the group behind it — ShadowSyndicate. Bridewell Cyber Threat Intelligence have been tracking this group and associated servers, including this IP address, in order to protect our customers since August-September 2023. (Shameless plug for Bridewell CTI).

This IP address is running an interesting SSH hash that we have been associating with a player in the Ransomware scene we called Shadow Syndicate. If you haven’t read it, please take a look at our previous research here:

https://www.group-ib.com/blog/shadowsyndicate-raas/

And here:

ShadowSyndicate: A Global Ransomware-as-a-Service Player?

ShadowSyndicate: SSH

www.bridewell.com

Now the second of our IPs (81.19.135[.]226) in the table appears; it also shares the same SSH hash. So let’s take another look at this SSH hash and break down more findings:

The distribution of IP addresses appears not to have changed much from hosting providers previously used by ShadowSyndicate. So first, let’s take a look at the two IPs from the CISA report together. They both appear to be running OpenVPNs:

Very interesting. So can we find any more on our SSH hash? You bet.

Inspecting them further in VT:

This identifies one IP as a Meterpreter C2 as well as OpenVPN server: 81.19.135[.]241.

194.165.16[.]80 is another interesting IP. Whilst its currently running OpenVPN, it appears to be a repurposed Cobalt Strike C2 and also has recent Cerber Ransomware samples from as late as October 2023. To note, both IPs 194.165.16[.]64 and 194.165.16[.]92 have also been used by Cerber Ransomware, with the latter also being a repurposed CS C2.

The connection between SSH hash and Open VPN servers creates a very strong connection between LockBit and the previously reported ShadowSyndicate. It’s highly likely these additional OpenVPN servers will be used in upcoming campaigns or have already been used!

After later inspection, we also identified 193.142.30[.]224 running OpenVPN on port 1194:

92.118.36.204

Next finding is an unexpected one. It appears this IP address is hosting the 8Base Ransomware group’s Data Leak Site:

As we can see from VirusTotal, this IP is clean and only associated with ShadowSyndicate.

To further muddy the connection between Ransomware groups and affiliates, we can now add another connection to 8Base ransomware.

So here it is, the final graph of the analysis for the SSH hash running on two OpenVPN servers linked to LockBit from the CISA report:

Final Remarks

Thank you for bearing with us and reading till the end. We hope you’ve found the plethora of findings interesting and valuable. The techniques demonstrated in this report have allowed us to make additional unidentified connections to other ransomware groups, malware and infrastructure from what continues to be vital, open reporting from organisations such as Boeing. These indicators should always be validated before taking any action, however, our recommendation is that they are treated as malicious.

We welcome any and all feedback and comments. Thanks.

Indicators

5[.]188[.]86[.]23
5[.]188[.]87[.]46
45[.]145[.]20[.]212
45[.]227[.]252[.]229
45[.]227[.]253[.]29
45[.]227[.]255[.]214
78[.]128[.]112[.]139
78[.]128[.]112[.]208
81[.]19[.]135[.]215
81[.]19[.]135[.]216
81[.]19[.]135[.]220
81[.]19[.]135[.]226
81[.]19[.]135[.]227
81[.]19[.]135[.]228
81[.]19[.]135[.]241
81[.]19[.]135[.]249
81[.]19[.]136[.]239
81[.]19[.]136[.]251
88[.]214[.]25[.]252
91[.]238[.]181[.]236
91[.]238[.]181[.]253
92[.]118[.]36[.]204
141[.]98[.]82[.]199
141[.]98[.]82[.]231
141[.]98[.]82[.]240
147[.]78[.]46[.]112
147[.]78[.]47[.]231
158[.]255[.]2[.]244
158[.]255[.]2[.]252
179[.]60[.]150[.]121
179[.]60[.]150[.]139
179[.]60[.]150[.]151
193[.]29[.]13[.]152
193[.]29[.]13[.]212
193[.]142[.]30[.]17
193[.]142[.]30[.]37
193[.]142[.]30[.]154
193[.]142[.]30[.]205
193[.]142[.]30[.]211
193[.]142[.]30[.]215
193[.]142[.]30[.]224
194[.]165[.]16[.]64
194[.]165[.]16[.]80
194[.]165[.]16[.]92
accounts[.]user-account-auth[.]com
apis[.]user-account-auth[.]com
better-business-bureau-share-file[.]com
betterbusinessbureau-sharefile[.]com
blog[.]gruplast[.]com[.]br
blur[.]entrydapp[.]com
blurnft[.]entrydapp[.]com
client[.]i-clean[.]co[.]in
content[.]user-account-auth[.]com
cpanel[.]nunativs[.]com
dc-0b43da5a453c[.]mirakaghee[.]co[.]nz
eandn[.]i-clean[.]co[.]in
eandnb[.]i-clean[.]co[.]in
eands[.]wordsforthesoul[.]com
eans[.]nunativs[.]com
eansi[.]sonykbcliv[.]com
eansrklnt[.]nunativs[.]com
easan[.]sonykbcliv[.]com
easdna[.]i-clean[.]co[.]in
easen[.]nunativs[.]com
easent[.]nunativs[.]com
easn[.]i-clean[.]co[.]in
easna[.]nunativs[.]com
easnad[.]wordsforthesoul[.]com
easnans[.]nunativs[.]com
easnd[.]i-clean[.]co[.]in
easnde[.]i-clean[.]co[.]in
easns[.]nunativs[.]com
easnsn[.]i-clean[.]co[.]in
eassn[.]inlight-tone[.]com
eassn[.]wordsforthesoul[.]com
eastzonentp[.]com
easybnpbnking[.]wordsforthesoul[.]com
easybnpbqnk[.]wordsforthesoul[.]com
easybnpbqnkg[.]wordsforthesoul[.]com
easyclient[.]mirakaghee[.]co[.]nz
easydocmnt[.]mirakaghee[.]co[.]nz
easydocumnt[.]iraqts[.]com
easydocumnt[.]mirakaghee[.]co[.]nz
easyn[.]gruplast[.]com[.]br
ense[.]sonykbcliv[.]com
esans[.]sonykbcliv[.]com
gitxrjku7i2ng5snr[.]network
hmdhonline[.]nunativs[.]com
hmdonl[.]nunativs[.]com
hmfsonlin[.]nunativs[.]com
hmhnoln[.]nunativs[.]com
homebanking[.]iraqts[.]com
homeklant[.]iraqts[.]com
idibaing[.]gruplast[.]com[.]br
5[.]182[.]5[.]132
5[.]182[.]6[.]141
5[.]188[.]118[.]181
5[.]188[.]119[.]68
5[.]188[.]158[.]47
5[.]188[.]158[.]83
31[.]184[.]218[.]86
31[.]184[.]218[.]155
31[.]184[.]219[.]102
45[.]92[.]177[.]101
45[.]92[.]177[.]161
46[.]148[.]230[.]109
46[.]232[.]212[.]25
51[.]175[.]83[.]189
62[.]182[.]158[.]215
80[.]249[.]131[.]141
84[.]38[.]184[.]12
84[.]38[.]185[.]232
89[.]248[.]192[.]158
89[.]248[.]192[.]247
91[.]177[.]179[.]36
91[.]206[.]15[.]222
92[.]53[.]65[.]97
94[.]26[.]226[.]141
94[.]26[.]248[.]40
94[.]26[.]249[.]130
95[.]143[.]188[.]35
95[.]143[.]188[.]113
95[.]143[.]188[.]169
185[.]137[.]232[.]37
188[.]68[.]204[.]93
188[.]68[.]205[.]106
188[.]124[.]37[.]55
188[.]124[.]54[.]145
193[.]201[.]9[.]224
193[.]201[.]9[.]225
212[.]41[.]8[.]26
212[.]41[.]9[.]19
212[.]41[.]9[.]58
212[.]41[.]26[.]108
http://189.51-175-83.customer.lyse.net
http://36.179-177-91.adsl-dyn.isp.belgacom.be
hxxp[://]ad[.]roomte[.]com
hxxp[://]admin[.]hotel24[.]ru
hxxp[://]admin[.]roomte[.]com
hxxp[://]b2b[.]ctt-sib[.]ru
hxxp[://]en-us[.]roomte[.]com
hxxp[://]es-us[.]roomte[.]com
hxxp[://]fr-us[.]roomte[.]com
hxxp[://]gptgpt[.]ru
hxxp[://]hotel24[.]ru
hxxp[://]it[.]roomte[.]com
hxxp[://]nmir[.]eu[.]org
hxxp[://]pl-pl[.]roomte[.]com%
hxxp[://]pl[.]roomte[.]com
hxxp[://]rabota[.]hotel24[.]ru
hxxp[://]ru[.]hotel24[.]ru
hxxp[://]souvenir63[.]ru
hxxp[://]sprut[.]cpbp[.]ru
hxxp[://]srv1[.]cpbp[.]ru
hxxp[://]vsrabota[.]hotel24[.]ru
hxxp[://]web1c[.]icdmc[.]ru
hxxp[://]hotel24[.]ru
hxxp[://]nmir[.]eu[.]org
hxxp[://]souvenir63[.]ru
185[.]137[.]232[.]37
193[.]201[.]9[.]224
193[.]201[.]9[.]225
23[.]227[.]198[.]203
23[.]227[.]198[.]214
37[.]28[.]156[.]21
37[.]28[.]156[.]23
37[.]28[.]157[.]12
37[.]28[.]157[.]16
37[.]28[.]157[.]22
37[.]28[.]157[.]35
37[.]28[.]157[.]38
37[.]120[.]198[.]224
37[.]120[.]237[.]223
45[.]84[.]121[.]40
45[.]146[.]173[.]139
66[.]165[.]246[.]84
69[.]46[.]15[.]151
69[.]46[.]15[.]167
78[.]135[.]73[.]152
78[.]135[.]73[.]154
78[.]135[.]73[.]159
78[.]135[.]73[.]167
78[.]135[.]73[.]188
84[.]252[.]94[.]164
84[.]252[.]94[.]179
84[.]252[.]95[.]212
84[.]252[.]95[.]214
84[.]252[.]95[.]224
84[.]252[.]95[.]237
84[.]252[.]95[.]254
89[.]40[.]206[.]90
89[.]44[.]9[.]88
89[.]44[.]201[.]69
89[.]238[.]170[.]250
89[.]238[.]185[.]5
91[.]206[.]178[.]75
91[.]206[.]178[.]109
91[.]206[.]178[.]133
91[.]206[.]178[.]143
91[.]206[.]178[.]167
91[.]245[.]254[.]102
146[.]70[.]20[.]201
146[.]70[.]20[.]218
146[.]70[.]53[.]153
146[.]70[.]53[.]179
146[.]70[.]53[.]187
146[.]70[.]78[.]40
146[.]70[.]86[.]51
146[.]70[.]86[.]61
146[.]70[.]86[.]135
146[.]70[.]86[.]235
146[.]70[.]100[.]75
146[.]70[.]100[.]77
146[.]70[.]100[.]81
146[.]70[.]100[.]82
146[.]70[.]100[.]83
146[.]70[.]101[.]106
146[.]70[.]102[.]72
146[.]70[.]102[.]113
146[.]70[.]104[.]172
146[.]70[.]104[.]242
146[.]70[.]106[.]42
146[.]70[.]106[.]45
146[.]70[.]106[.]55
146[.]70[.]106[.]73
146[.]70[.]106[.]76
146[.]70[.]106[.]86
146[.]70[.]106[.]94
146[.]70[.]106[.]165
146[.]70[.]106[.]171
146[.]70[.]106[.]174
146[.]70[.]115[.]14
146[.]70[.]115[.]59
146[.]70[.]116[.]9
146[.]70[.]124[.]70
146[.]70[.]125[.]82
146[.]70[.]125[.]83
146[.]70[.]125[.]87
146[.]70[.]125[.]107
146[.]70[.]125[.]119
146[.]70[.]125[.]121
146[.]70[.]131[.]231
146[.]70[.]139[.]172
146[.]70[.]139[.]229
146[.]70[.]139[.]231
146[.]70[.]139[.]234
146[.]70[.]143[.]133
146[.]70[.]143[.]182
146[.]70[.]160[.]57
146[.]70[.]160[.]62
146[.]70[.]169[.]144
146[.]70[.]169[.]150
146[.]70[.]169[.]159
146[.]70[.]169[.]163
146[.]70[.]169[.]164
149[.]255[.]35[.]182
185[.]17[.]40[.]153
185[.]17[.]40[.]176
185[.]17[.]40[.]178
185[.]17[.]40[.]188
185[.]17[.]40[.]189
185[.]73[.]202[.]68
185[.]244[.]212[.]103
188[.]208[.]141[.]197
194[.]15[.]216[.]23
194[.]15[.]216[.]78
194[.]15[.]216[.]219
194[.]15[.]216[.]232
194[.]15[.]216[.]248
194[.]37[.]97[.]179
217[.]138[.]215[.]68
217[.]138[.]215[.]79
217[.]138[.]215[.]85
217[.]138[.]215[.]105
146–70–106–55.cprapid[.]com
146–70–106–73.cprapid[.]com
146–70–143–182.cprapid[.]com
146.70.106.42.sslip[.]io
149–255–35–182[.]static.hvvc.us
194–15–216–248[.]cprapid.com
194–37–97–179[.]cprapid.com
23–227–198–203[.]static.hvvc.us
23–227–198–214[.]static.hvvc.us
37–28–157–16[.]cprapid.com
37–28–157–22[.]cprapid.com
37.28.157.12[.]sslip.io
37.28.157.35[.]sslip.io
45.84.121.40[.]sslip.io
66–165–246–84[.]cprapid.com
69–46–15–167[.]static.hvvc.us
78.135.73.188[.]nip.io
84–252–94–179[.]cprapid.com
84–252–95–224[.]cprapid.com
84–252–95–237[.]cprapid.com
91–206–178–143[.]cprapid.com
acpstech[.]org
ae-1[.]direct[.]fireflysolutions[.]top
ae-1[.]nodes[.]fireflysolutions[.]top
alxtestdomain[.]xyz
athe-bois[.]com
c[.]huanqiuy[.]cc
c[.]kenyait[.]cc
conedexon[.]click
ct[.]majic222[.]info
d156021[.]artnet[.]gda[.]pl
d156021[.]artnet[.]pl
d156023[.]artnet[.]gda[.]pl
d156023[.]artnet[.]pl
d157012[.]artnet[.]gda[.]pl
d157016[.]artnet[.]gda[.]pl
d157022[.]artnet[.]gda[.]pl
d157035[.]artnet[.]gda[.]pl
d157038[.]artnet[.]gda[.]pl
fleurdeleafcaliforniacannabis[.]com
focovri[.]com
gear[.]flexflex[.]online
gorlovski[.]com
hi[.]vv2home[.]sbs
hmzrssica[.]com
hosttunnel[.]salimsoft[.]ir
hpstpol[.]salimsoft[.]ir
huanqiuy[.]cc
israelpost[.]wirelesperuvian[.]com
janamnfgk[.]com
jellyfin[.]fromnz[.]net
kaporetto[.]com
kenyait[.]cc
kiuendoism[.]com
kudamyir[.]com
liftgoi[.]com
mail.146–70–106–55[.]cprapid.com
mail.146–70–106–73[.]cprapid.com
mail.194–37–97–179[.]cprapid.com
mail.37–28–157–16[.]cprapid.com
mail.37–28–157–22[.]cprapid.com
mail[.]mamacreekastro[.]com
mamacreekastro[.]com
mescomm[.]com
millacongos[.]com
mmorpg[.]freemyip[.]com
mta0[.]fleurdeleafcaliforniacannabis[.]com
mta0[.]liftgoi[.]com
n[.]docmagapps[.]com
naslewp[.]ir
nbgs-staticp[.]info
ns1[.]worldtechrealnews[.]com
ns2[.]worldtechrealnews[.]com
ns3[.]worldtechrealnews[.]com
ns4[.]worldtechrealnews[.]com
onefastnote[.]com
op[.]gps[.]moe
pass[.]alxtestdomain[.]xyz
pass[.]slvsrv[.]lol
petedgeshop[.]com
quiltbonding[.]com
reshbolbor[.]com
share[.]alxtestdomain[.]xyz
share[.]slvsrv[.]lol
support-webportal[.]com
tepersis[.]ir
test1[.]slvsrv[.]lol
test2[.]slvsrv[.]lol
time[.]flexflex[.]online
usbblockernow[.]com
vpn[.]alxtestdomain[.]xyz
vpn[.]slvsrv[.]lol
vpn823028770[.]softether[.]net
vw[.]slvsrv[.]lol
worldtechrealnews[.]com
www.146-70-106-55[.]cprapid.com
www.146-70-106-73[.]cprapid.com
www.194-37-97-179[.]cprapid.com
www.37-28-157-16[.]cprapid.com
www.37-28-157-22[.]cprapid.com
www.66-165-246-84[.]cprapid.com
www.84-252-94-179[.]cprapid.com
www[.]athe-bois[.]com
www[.]fleurdeleafcaliforniacannabis[.]com
www[.]kaporetto[.]com
www[.]mamacreekastro[.]com
www[.]usbblockernow[.]com

Ransomware
Infrastructure
Cybersecurity
Malware
Threat Intelligence

--

--

Joshuapenny
OSINT TEAM
Follow

Written by Joshuapenny

88 Followers
Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams