A few of these IPs showed up as destinations in connections from a Cobalt Strike beacon we were investigating. Looking across the same ASN, we noticed a distinct pattern in the SSL certificate subject information that strongly indicated that this list of servers were probably all related infrastructure. The connections out to the CS server we were studying were very frequent (about once every 10 seconds) so if you see a high volume of connections to any of these IPs or high frequency DNS lookups for these domain names, you should investigate for sure. All of these servers appear to be in Russia. We think this is part of a UNC1878 campaign and might result in Ryuk.