← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
MITRE ATT&CK & Malware Families
Indicators of Compromise (191)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| hostname | eu-north-1.regeringskansliet-se.cloud | — | 2024-12-17 | |
| hostname | eu-south-2-aws.zero-trust.solutions | — | 2024-12-17 | |
| FileHash-SHA256 | 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881 | — | 2024-12-17 | |
| FileHash-SHA256 | 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 | — | 2024-12-17 | |
| FileHash-SHA256 | 2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9 | — | 2024-12-17 | |
| FileHash-SHA256 | 36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542 | — | 2024-12-17 | |
| FileHash-SHA256 | 50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1 | — | 2024-12-17 | |
| FileHash-SHA256 | 648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6 | — | 2024-12-17 | |
| FileHash-SHA256 | 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 | — | 2024-12-17 | |
| FileHash-SHA256 | a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448 | — | 2024-12-17 | |
| FileHash-SHA256 | ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46 | — | 2024-12-17 | |
| FileHash-SHA256 | f32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e | — | 2024-12-17 | |
| FileHash-SHA256 | f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 | — | 2024-12-17 | |
| domain | 4freerussia.cloud | — | 2024-12-17 | |
| domain | admin-ch.cloud | — | 2024-12-17 | |
| domain | aeinc.solutions | — | 2024-12-17 | |
| domain | albrightstonebridge.cloud | — | 2024-12-17 | |
| domain | amazonmeeting.cloud | — | 2024-12-17 | |
| domain | americanprogress.cloud | — | 2024-12-17 | |
| domain | aspeninstitute.cloud | — | 2024-12-17 | |
| domain | asucloud.us | — | 2024-12-17 | |
| domain | aws-data.cloud | — | 2024-12-17 | |
| domain | aws-il.cloud | — | 2024-12-17 | |
| domain | aws-join.cloud | — | 2024-12-17 | |
| domain | aws-meet.cloud | — | 2024-12-17 | |
| domain | aws-meetings.cloud | — | 2024-12-17 | |
| domain | aws-online.cloud | — | 2024-12-17 | |
| domain | aws-ukraine.cloud | — | 2024-12-17 | |
| domain | awsmeet.cloud | — | 2024-12-17 | |
| domain | awsmeetings.online | — | 2024-12-17 | |
| domain | awsplatform.online | — | 2024-12-17 | |
| domain | backupify.cloud | — | 2024-12-17 | |
| domain | barracuda.solutions | — | 2024-12-17 | |
| domain | brookings.cloud | — | 2024-12-17 | |
| domain | bund-de.cloud | — | 2024-12-17 | |
| domain | caci.solutions | — | 2024-12-17 | |
| domain | capgemini.services | — | 2024-12-17 | |
| domain | ceip.cloud | — | 2024-12-17 | |
| domain | cepa.solutions | — | 2024-12-17 | |
| domain | cfr-aws.cloud | — | 2024-12-17 | |
| domain | citoc.cloud | — | 2024-12-17 | |
| domain | clari.cloud | — | 2024-12-17 | |
| domain | clearancejobs.cloud | — | 2024-12-17 | |
| domain | cnas.zone | — | 2024-12-17 | |
| domain | crisisgroup.services | — | 2024-12-17 | |
| domain | csbaonline.cloud | — | 2024-12-17 | |
| domain | cwinc.cloud | — | 2024-12-17 | |
| domain | defence-au.cloud | — | 2024-12-17 | |
| domain | defense-gouv.cloud | — | 2024-12-17 | |
| domain | democracyendowment.cloud | — | 2024-12-17 | |
| domain | dep-no.cloud | — | 2024-12-17 | |
| domain | difesa-it.cloud | — | 2024-12-17 | |
| domain | druva.cloud | — | 2024-12-17 | |
| domain | ecfr.cloud | — | 2024-12-17 | |
| domain | eopgov.cloud | — | 2024-12-17 | |
| domain | europa-eu.cloud | — | 2024-12-17 | |
| domain | europeanvalues.cloud | — | 2024-12-17 | |
| domain | exclaimer.solutions | — | 2024-12-17 | |
| domain | forces-gc.cloud | — | 2024-12-17 | |
| domain | freedomhouse.cloud | — | 2024-12-17 | |
| domain | gc-cloud.ca | — | 2024-12-17 | |
| domain | gmfus.cloud | — | 2024-12-17 | |
| domain | go-conference.cloud | — | 2024-12-17 | |
| domain | go-jp.cloud | — | 2024-12-17 | |
| domain | go-meet-up.com | — | 2024-12-17 | |
| domain | go-meet.pro | — | 2024-12-17 | |
| domain | go-meeting.cloud | — | 2024-12-17 | |
| domain | go-meeting.online | — | 2024-12-17 | |
| domain | google-meet.cloud | — | 2024-12-17 | |
| domain | googlemeet.zone | — | 2024-12-17 | |
| domain | gouv-fr.cloud | — | 2024-12-17 | |
| domain | gov-au.cloud | — | 2024-12-17 | |
| domain | gov-aws.cloud | — | 2024-12-17 | |
| domain | gov-fi.cloud | — | 2024-12-17 | |
| domain | gov-gr.cloud | — | 2024-12-17 | |
| domain | gov-lt.cloud | — | 2024-12-17 | |
| domain | gov-lv.cloud | — | 2024-12-17 | |
| domain | gov-pl.cloud | — | 2024-12-17 | |
| domain | gov-trust.cloud | — | 2024-12-17 | |
| domain | govtr.cloud | — | 2024-12-17 | |
| domain | govua.cloud | — | 2024-12-17 | |
| domain | gv-at.cloud | — | 2024-12-17 | |
| domain | heritagecloud.org | — | 2024-12-17 | |
| domain | justice.technology | — | 2024-12-17 | |
| domain | kam-lt.cloud | — | 2024-12-17 | |
| domain | macfound.services | — | 2024-12-17 | |
| domain | mae-ro.cloud | — | 2024-12-17 | |
| domain | mapn-ro.cloud | — | 2024-12-17 | |
| domain | mde-es.cloud | — | 2024-12-17 | |
| domain | mfa-gov-il.cloud | — | 2024-12-17 | |
| domain | mfa-gov-tr.cloud | — | 2024-12-17 | |
| domain | microsoft-meeting.cloud | — | 2024-12-17 | |
| domain | microsoftmeeting.cloud | — | 2024-12-17 | |
| domain | mil-be.cloud | — | 2024-12-17 | |
| domain | mil-ee.cloud | — | 2024-12-17 | |
| domain | mil-pt.cloud | — | 2024-12-17 | |
| domain | mimecast.cloud | — | 2024-12-17 | |
| domain | mod-cloud.uk | — | 2024-12-17 | |
| domain | mod-gov-il.cloud | — | 2024-12-17 | |
| domain | morh-hr.cloud | — | 2024-12-17 | |
| domain | ms-conference.cloud | — | 2024-12-17 | |
| domain | ms-meeting.com | — | 2024-12-17 | |
| domain | ms-meeting.online | — | 2024-12-17 | |
| domain | ms-meetings.online | — | 2024-12-17 | |
| domain | msconferences.cloud | — | 2024-12-17 | |
| domain | mvep-hr.cloud | — | 2024-12-17 | |
| domain | mzv-cz.cloud | — | 2024-12-17 | |
| domain | mzv-sk.cloud | — | 2024-12-17 | |
| domain | ncfta.cloud | — | 2024-12-17 | |
| domain | ncsc.solutions | — | 2024-12-17 | |
| domain | nrcc.cloud | — | 2024-12-17 | |
| domain | oktacloud.us | — | 2024-12-17 | |
| domain | opensocietyfoundations.cloud | — | 2024-12-17 | |
| domain | parseccomputer.cloud | — | 2024-12-17 | |
| domain | polycom.solutions | — | 2024-12-17 | |
| domain | presidencia-pt.cloud | — | 2024-12-17 | |
| domain | prio.zone | — | 2024-12-17 | |
| domain | pulsesecure.cloud | — | 2024-12-17 | |
| domain | quirinale.cloud | — | 2024-12-17 | |
| domain | regeringskansliet-se.cloud | — | 2024-12-17 | |
| domain | rubrik.zone | — | 2024-12-17 | |
| domain | s3-acronis.cloud | — | 2024-12-17 | |
| domain | s3-army.cloud | — | 2024-12-17 | |
| domain | s3-atlassian.cloud | — | 2024-12-17 | |
| domain | s3-aws.cloud | — | 2024-12-17 | |
| domain | s3-aws.global | — | 2024-12-17 | |
| domain | s3-bah.cloud | — | 2024-12-17 | |
| domain | s3-be.cloud | — | 2024-12-17 | |
| domain | s3-blackberry.cloud | — | 2024-12-17 | |
| domain | s3-cloud.us | — | 2024-12-17 | |
| domain | s3-csis.cloud | — | 2024-12-17 | |
| domain | s3-de.cloud | — | 2024-12-17 | |
| domain | s3-dgap.cloud | — | 2024-12-17 | |
| domain | s3-dk.cloud | — | 2024-12-17 | |
| domain | s3-dnc.cloud | — | 2024-12-17 | |
| domain | s3-esa.cloud | — | 2024-12-17 | |
| domain | s3-fbi.cloud | — | 2024-12-17 | |
| domain | s3-hudson.cloud | — | 2024-12-17 | |
| domain | s3-ida.cloud | — | 2024-12-17 | |
| domain | s3-iri.cloud | — | 2024-12-17 | |
| domain | s3-knowbe4.cloud | — | 2024-12-17 | |
| domain | s3-marcus.cloud | — | 2024-12-17 | |
| domain | s3-monitoring.cloud | — | 2024-12-17 | |
| domain | s3-nato.cloud | — | 2024-12-17 | |
| domain | s3-ned.cloud | — | 2024-12-17 | |
| domain | s3-nsa.cloud | — | 2024-12-17 | |
| domain | s3-proofpoint.cloud | — | 2024-12-17 | |
| domain | s3-pt.cloud | — | 2024-12-17 | |
| domain | s3-rackspace.cloud | — | 2024-12-17 | |
| domain | s3-rand.cloud | — | 2024-12-17 | |
| domain | s3-spacex.cloud | — | 2024-12-17 | |
| domain | s3-state.cloud | — | 2024-12-17 | |
| domain | s3-stig.cloud | — | 2024-12-17 | |
| domain | s3-ua.cloud | — | 2024-12-17 | |
| domain | s3-ucia.cloud | — | 2024-12-17 | |
| domain | s3-us.navy | — | 2024-12-17 | |
| domain | s3-zoho.cloud | — | 2024-12-17 | |
| domain | saiccloud.us | — | 2024-12-17 | |
| domain | servicenowinc.us | — | 2024-12-17 | |
| domain | shicloud.online | — | 2024-12-17 | |
| domain | sipacolumbia.us | — | 2024-12-17 | |
| domain | skykick.solutions | — | 2024-12-17 | |
| domain | softcat.cloud | — | 2024-12-17 | |
| domain | ssi-gouv-fr.cloud | — | 2024-12-17 | |
| domain | statecloud.us | — | 2024-12-17 | |
| domain | stratfor.cloud | — | 2024-12-17 | |
| domain | swcloud.us | — | 2024-12-17 | |
| domain | symbolsecurity.cloud | — | 2024-12-17 | |
| domain | trustifi.cloud | — | 2024-12-17 | |
| domain | ua-aws.army | — | 2024-12-17 | |
| domain | ua-energy.cloud | — | 2024-12-17 | |
| domain | ua-mil.cloud | — | 2024-12-17 | |
| domain | ua-sec.cloud | — | 2024-12-17 | |
| domain | ukrainesec.cloud | — | 2024-12-17 | |
| domain | ukrtelecom.cloud | — | 2024-12-17 | |
| domain | us-army.cloud | — | 2024-12-17 | |
| domain | us-mil.cloud | — | 2024-12-17 | |
| domain | usaid.cloud | — | 2024-12-17 | |
| domain | usip.us | — | 2024-12-17 | |
| domain | veeam.solutions | — | 2024-12-17 | |
| domain | wilsoncenter.cloud | — | 2024-12-17 | |
| domain | wrapsnet.cloud | — | 2024-12-17 | |
| domain | zero-trust.solutions | — | 2024-12-17 | |
| domain | zixcorp.cloud | — | 2024-12-17 | |
| domain | zoom-meeting.cloud | — | 2024-12-17 | |
| domain | zoom-meeting.live | — | 2024-12-17 | |
| domain | zoom-meeting.pro | — | 2024-12-17 | |
| domain | zoom-meeting.today | — | 2024-12-17 | |
| domain | zoom-meetings.cloud | — | 2024-12-17 | |
| domain | zoommeeting.today | — | 2024-12-17 | |
| domain | zoommeeting.zone | — | 2024-12-17 |