← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
MITRE ATT&CK & Malware Families
Indicators of Compromise (178 / 191 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | 4freerussia.cloud | — | 2024-12-17 | |
| domain | admin-ch.cloud | — | 2024-12-17 | |
| domain | aeinc.solutions | — | 2024-12-17 | |
| domain | albrightstonebridge.cloud | — | 2024-12-17 | |
| domain | amazonmeeting.cloud | — | 2024-12-17 | |
| domain | americanprogress.cloud | — | 2024-12-17 | |
| domain | aspeninstitute.cloud | — | 2024-12-17 | |
| domain | asucloud.us | — | 2024-12-17 | |
| domain | aws-data.cloud | — | 2024-12-17 | |
| domain | aws-il.cloud | — | 2024-12-17 | |
| domain | aws-join.cloud | — | 2024-12-17 | |
| domain | aws-meet.cloud | — | 2024-12-17 | |
| domain | aws-meetings.cloud | — | 2024-12-17 | |
| domain | aws-online.cloud | — | 2024-12-17 | |
| domain | aws-ukraine.cloud | — | 2024-12-17 | |
| domain | awsmeet.cloud | — | 2024-12-17 | |
| domain | awsmeetings.online | — | 2024-12-17 | |
| domain | awsplatform.online | — | 2024-12-17 | |
| domain | backupify.cloud | — | 2024-12-17 | |
| domain | barracuda.solutions | — | 2024-12-17 | |
| domain | brookings.cloud | — | 2024-12-17 | |
| domain | bund-de.cloud | — | 2024-12-17 | |
| domain | caci.solutions | — | 2024-12-17 | |
| domain | capgemini.services | — | 2024-12-17 | |
| domain | ceip.cloud | — | 2024-12-17 | |
| domain | cepa.solutions | — | 2024-12-17 | |
| domain | cfr-aws.cloud | — | 2024-12-17 | |
| domain | citoc.cloud | — | 2024-12-17 | |
| domain | clari.cloud | — | 2024-12-17 | |
| domain | clearancejobs.cloud | — | 2024-12-17 | |
| domain | cnas.zone | — | 2024-12-17 | |
| domain | crisisgroup.services | — | 2024-12-17 | |
| domain | csbaonline.cloud | — | 2024-12-17 | |
| domain | cwinc.cloud | — | 2024-12-17 | |
| domain | defence-au.cloud | — | 2024-12-17 | |
| domain | defense-gouv.cloud | — | 2024-12-17 | |
| domain | democracyendowment.cloud | — | 2024-12-17 | |
| domain | dep-no.cloud | — | 2024-12-17 | |
| domain | difesa-it.cloud | — | 2024-12-17 | |
| domain | druva.cloud | — | 2024-12-17 | |
| domain | ecfr.cloud | — | 2024-12-17 | |
| domain | eopgov.cloud | — | 2024-12-17 | |
| domain | europa-eu.cloud | — | 2024-12-17 | |
| domain | europeanvalues.cloud | — | 2024-12-17 | |
| domain | exclaimer.solutions | — | 2024-12-17 | |
| domain | forces-gc.cloud | — | 2024-12-17 | |
| domain | freedomhouse.cloud | — | 2024-12-17 | |
| domain | gc-cloud.ca | — | 2024-12-17 | |
| domain | gmfus.cloud | — | 2024-12-17 | |
| domain | go-conference.cloud | — | 2024-12-17 | |
| domain | go-jp.cloud | — | 2024-12-17 | |
| domain | go-meet-up.com | — | 2024-12-17 | |
| domain | go-meet.pro | — | 2024-12-17 | |
| domain | go-meeting.cloud | — | 2024-12-17 | |
| domain | go-meeting.online | — | 2024-12-17 | |
| domain | google-meet.cloud | — | 2024-12-17 | |
| domain | googlemeet.zone | — | 2024-12-17 | |
| domain | gouv-fr.cloud | — | 2024-12-17 | |
| domain | gov-au.cloud | — | 2024-12-17 | |
| domain | gov-aws.cloud | — | 2024-12-17 | |
| domain | gov-fi.cloud | — | 2024-12-17 | |
| domain | gov-gr.cloud | — | 2024-12-17 | |
| domain | gov-lt.cloud | — | 2024-12-17 | |
| domain | gov-lv.cloud | — | 2024-12-17 | |
| domain | gov-pl.cloud | — | 2024-12-17 | |
| domain | gov-trust.cloud | — | 2024-12-17 | |
| domain | govtr.cloud | — | 2024-12-17 | |
| domain | govua.cloud | — | 2024-12-17 | |
| domain | gv-at.cloud | — | 2024-12-17 | |
| domain | heritagecloud.org | — | 2024-12-17 | |
| domain | justice.technology | — | 2024-12-17 | |
| domain | kam-lt.cloud | — | 2024-12-17 | |
| domain | macfound.services | — | 2024-12-17 | |
| domain | mae-ro.cloud | — | 2024-12-17 | |
| domain | mapn-ro.cloud | — | 2024-12-17 | |
| domain | mde-es.cloud | — | 2024-12-17 | |
| domain | mfa-gov-il.cloud | — | 2024-12-17 | |
| domain | mfa-gov-tr.cloud | — | 2024-12-17 | |
| domain | microsoft-meeting.cloud | — | 2024-12-17 | |
| domain | microsoftmeeting.cloud | — | 2024-12-17 | |
| domain | mil-be.cloud | — | 2024-12-17 | |
| domain | mil-ee.cloud | — | 2024-12-17 | |
| domain | mil-pt.cloud | — | 2024-12-17 | |
| domain | mimecast.cloud | — | 2024-12-17 | |
| domain | mod-cloud.uk | — | 2024-12-17 | |
| domain | mod-gov-il.cloud | — | 2024-12-17 | |
| domain | morh-hr.cloud | — | 2024-12-17 | |
| domain | ms-conference.cloud | — | 2024-12-17 | |
| domain | ms-meeting.com | — | 2024-12-17 | |
| domain | ms-meeting.online | — | 2024-12-17 | |
| domain | ms-meetings.online | — | 2024-12-17 | |
| domain | msconferences.cloud | — | 2024-12-17 | |
| domain | mvep-hr.cloud | — | 2024-12-17 | |
| domain | mzv-cz.cloud | — | 2024-12-17 | |
| domain | mzv-sk.cloud | — | 2024-12-17 | |
| domain | ncfta.cloud | — | 2024-12-17 | |
| domain | ncsc.solutions | — | 2024-12-17 | |
| domain | nrcc.cloud | — | 2024-12-17 | |
| domain | oktacloud.us | — | 2024-12-17 | |
| domain | opensocietyfoundations.cloud | — | 2024-12-17 | |
| domain | parseccomputer.cloud | — | 2024-12-17 | |
| domain | polycom.solutions | — | 2024-12-17 | |
| domain | presidencia-pt.cloud | — | 2024-12-17 | |
| domain | prio.zone | — | 2024-12-17 | |
| domain | pulsesecure.cloud | — | 2024-12-17 | |
| domain | quirinale.cloud | — | 2024-12-17 | |
| domain | regeringskansliet-se.cloud | — | 2024-12-17 | |
| domain | rubrik.zone | — | 2024-12-17 | |
| domain | s3-acronis.cloud | — | 2024-12-17 | |
| domain | s3-army.cloud | — | 2024-12-17 | |
| domain | s3-atlassian.cloud | — | 2024-12-17 | |
| domain | s3-aws.cloud | — | 2024-12-17 | |
| domain | s3-aws.global | — | 2024-12-17 | |
| domain | s3-bah.cloud | — | 2024-12-17 | |
| domain | s3-be.cloud | — | 2024-12-17 | |
| domain | s3-blackberry.cloud | — | 2024-12-17 | |
| domain | s3-cloud.us | — | 2024-12-17 | |
| domain | s3-csis.cloud | — | 2024-12-17 | |
| domain | s3-de.cloud | — | 2024-12-17 | |
| domain | s3-dgap.cloud | — | 2024-12-17 | |
| domain | s3-dk.cloud | — | 2024-12-17 | |
| domain | s3-dnc.cloud | — | 2024-12-17 | |
| domain | s3-esa.cloud | — | 2024-12-17 | |
| domain | s3-fbi.cloud | — | 2024-12-17 | |
| domain | s3-hudson.cloud | — | 2024-12-17 | |
| domain | s3-ida.cloud | — | 2024-12-17 | |
| domain | s3-iri.cloud | — | 2024-12-17 | |
| domain | s3-knowbe4.cloud | — | 2024-12-17 | |
| domain | s3-marcus.cloud | — | 2024-12-17 | |
| domain | s3-monitoring.cloud | — | 2024-12-17 | |
| domain | s3-nato.cloud | — | 2024-12-17 | |
| domain | s3-ned.cloud | — | 2024-12-17 | |
| domain | s3-nsa.cloud | — | 2024-12-17 | |
| domain | s3-proofpoint.cloud | — | 2024-12-17 | |
| domain | s3-pt.cloud | — | 2024-12-17 | |
| domain | s3-rackspace.cloud | — | 2024-12-17 | |
| domain | s3-rand.cloud | — | 2024-12-17 | |
| domain | s3-spacex.cloud | — | 2024-12-17 | |
| domain | s3-state.cloud | — | 2024-12-17 | |
| domain | s3-stig.cloud | — | 2024-12-17 | |
| domain | s3-ua.cloud | — | 2024-12-17 | |
| domain | s3-ucia.cloud | — | 2024-12-17 | |
| domain | s3-us.navy | — | 2024-12-17 | |
| domain | s3-zoho.cloud | — | 2024-12-17 | |
| domain | saiccloud.us | — | 2024-12-17 | |
| domain | servicenowinc.us | — | 2024-12-17 | |
| domain | shicloud.online | — | 2024-12-17 | |
| domain | sipacolumbia.us | — | 2024-12-17 | |
| domain | skykick.solutions | — | 2024-12-17 | |
| domain | softcat.cloud | — | 2024-12-17 | |
| domain | ssi-gouv-fr.cloud | — | 2024-12-17 | |
| domain | statecloud.us | — | 2024-12-17 | |
| domain | stratfor.cloud | — | 2024-12-17 | |
| domain | swcloud.us | — | 2024-12-17 | |
| domain | symbolsecurity.cloud | — | 2024-12-17 | |
| domain | trustifi.cloud | — | 2024-12-17 | |
| domain | ua-aws.army | — | 2024-12-17 | |
| domain | ua-energy.cloud | — | 2024-12-17 | |
| domain | ua-mil.cloud | — | 2024-12-17 | |
| domain | ua-sec.cloud | — | 2024-12-17 | |
| domain | ukrainesec.cloud | — | 2024-12-17 | |
| domain | ukrtelecom.cloud | — | 2024-12-17 | |
| domain | us-army.cloud | — | 2024-12-17 | |
| domain | us-mil.cloud | — | 2024-12-17 | |
| domain | usaid.cloud | — | 2024-12-17 | |
| domain | usip.us | — | 2024-12-17 | |
| domain | veeam.solutions | — | 2024-12-17 | |
| domain | wilsoncenter.cloud | — | 2024-12-17 | |
| domain | wrapsnet.cloud | — | 2024-12-17 | |
| domain | zero-trust.solutions | — | 2024-12-17 | |
| domain | zixcorp.cloud | — | 2024-12-17 | |
| domain | zoom-meeting.cloud | — | 2024-12-17 | |
| domain | zoom-meeting.live | — | 2024-12-17 | |
| domain | zoom-meeting.pro | — | 2024-12-17 | |
| domain | zoom-meeting.today | — | 2024-12-17 | |
| domain | zoom-meetings.cloud | — | 2024-12-17 | |
| domain | zoommeeting.today | — | 2024-12-17 | |
| domain | zoommeeting.zone | — | 2024-12-17 |