{ "type": "Domain", "indicator": "skykick.solutions", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/skykick.solutions", "alexa": "http://www.alexa.com/siteinfo/skykick.solutions", "indicator": "skykick.solutions", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4013575616, "indicator": "skykick.solutions", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6761a4b9130d14f22c9acb92", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks", "description": "Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.", "modified": "2025-01-16T16:01:41.367000", "created": "2024-12-17T16:20:09.482000", "tags": [ "data exfiltration", "spear-phishing", "midnight blizzard", "apt29", "Python Remote Desktop Protocol MITM tool (PyRDP)", "RogueRDP", "TOR exit nodes" ], "references": [ "https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "Earth Koshchei", "targeted_countries": [ "Ukraine", "Australia", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Government", "Defense", "Education", "Technology", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 79, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 11, "domain": 178 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 376740, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676375f11f8dcb260e5b6a49", "name": "Hackers Weaponize Red Team Tools in RDP Campaigns", "description": "Hackers exploit Red Team tools in RDP attacks using TOR and VPNs for data theft.", "modified": "2025-01-18T01:04:35.888000", "created": "2024-12-19T01:25:05.633000", "tags": [ "aws secure", "data exchange", "aws iam", "zero trust", "iam identity", "device security" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 187, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 11 }, "indicator_count": 218, "is_author": false, "is_subscribing": null, "subscriber_count": 483, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762e8da1d130d081e30eb1c", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks | Trend Micro (US)", "description": "Trend Vision One is a comprehensive and comprehensive platform for cybersecurity solutions designed for all sectors, from the healthcare industry to the manufacturing and healthcare sectors. \u00c2\u00a31.5bn in sales worldwide.", "modified": "2025-01-17T15:01:34.109000", "created": "2024-12-18T15:23:06.433000", "tags": [ "apt & targeted attacks", "latest news", "research", "learn", "earth koshchei", "trend micro", "october", "koshchei", "rdp campaign", "vision one", "pyrdp", "trend vision", "threat insights", "august", "alliance", "tools", "stop", "find", "ukraine", "hybrid", "small", "protect", "carriers", "attack", "rogue", "service", "virustotal", "suomi", "indonesia", "rdp" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Netherlands", "Japan", "Australia" ], "malware_families": [ { "id": "RDP", "display_name": "RDP", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Military", "Foreign Affairs", "Diplomatic", "Energy", "Telecom", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761c342090a79dee5f5f2b1", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks | Trend Micro (US)", "description": "This report from Trend Micro analyzes a recent Earth Koshchei, an intrusion set supposedly attributed to Russia\u2019s Foreign Intelligence Service (SVR), campaign that gains initial access through phishing emails containing RDP configuration files. When victims open these files, a connection to a remote RDP server through one of the 193 RDP relays set up by Earth Koshchei is established. Then, the attackers use tools like Cobalt Strike and Metasploit to achieve persistence, lateral movement, and command and control within the target environment. The risks include unauthorized access, data exfiltration, and widespread compromise of systems. To mitigate these risks, cybersecurity professionals should implement multi-factor authentication (MFA) for RDP, restrict outbound RDP connections, monitor for unusual RDP-related prompts or traffic, educate users on identifying phishing attempts, and deploy endpoint detection tools to identify malicious activity and tool usage early in the attack chain.", "modified": "2025-01-16T17:04:57.148000", "created": "2024-12-17T18:30:26.392000", "tags": [ "apt & targeted attacks", "latest news", "research", "learn", "earth koshchei", "trend micro", "october", "koshchei", "rdp campaign", "vision one", "pyrdp", "trend vision", "threat insights", "august", "alliance", "tools", "stop", "find", "ukraine", "hybrid", "small", "protect", "carriers", "attack", "rogue", "service", "virustotal", "suomi", "indonesia", "rdp", "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "ip address", "iam identity", "secure data", "target" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "Earth Koshchei", "targeted_countries": [ "Ukraine", "Netherlands", "Japan", "Australia" ], "malware_families": [ { "id": "RDP", "display_name": "RDP", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Military", "Foreign Affairs", "Diplomatic", "Energy", "Telecom", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 200, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67615d383188177c071ba0bd", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.\nIn a striking display of cyber sophistication, the advanced persistent threat (APT) group Earth Koshchei, also tracked as APT29 or Midnight Blizzard, has been linked to a massive rogue Remote Desktop Protocol (RDP) campaign.", "modified": "2025-01-16T11:03:28.820000", "created": "2024-12-17T11:15:04.830000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761543716a8c034207bba5b", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.", "modified": "2025-01-16T10:03:45.698000", "created": "2024-12-17T10:36:39.668000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761543aba6b311bfb12dcd4", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.", "modified": "2025-01-16T10:03:45.698000", "created": "2024-12-17T10:36:42.448000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/", "https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "related": { "alienvault": { "adversary": [ "Earth Koshchei" ], "malware_families": [], "industries": [ "Energy", "Telecommunications", "Education", "Government", "Defense", "Technology" ] }, "other": { "adversary": [ "Earth Koshchei" ], "malware_families": [ "Cobalt strike", "Rdp", "Metasploit" ], "industries": [ "Energy", "Telecommunications", "Military", "Foreign affairs", "Defense", "Telecom", "Diplomatic" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6761a4b9130d14f22c9acb92", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks", "description": "Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.", "modified": "2025-01-16T16:01:41.367000", "created": "2024-12-17T16:20:09.482000", "tags": [ "data exfiltration", "spear-phishing", "midnight blizzard", "apt29", "Python Remote Desktop Protocol MITM tool (PyRDP)", "RogueRDP", "TOR exit nodes" ], "references": [ "https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "Earth Koshchei", "targeted_countries": [ "Ukraine", "Australia", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Government", "Defense", "Education", "Technology", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 79, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 11, "domain": 178 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 376740, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676375f11f8dcb260e5b6a49", "name": "Hackers Weaponize Red Team Tools in RDP Campaigns", "description": "Hackers exploit Red Team tools in RDP attacks using TOR and VPNs for data theft.", "modified": "2025-01-18T01:04:35.888000", "created": "2024-12-19T01:25:05.633000", "tags": [ "aws secure", "data exchange", "aws iam", "zero trust", "iam identity", "device security" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 187, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 11 }, "indicator_count": 218, "is_author": false, "is_subscribing": null, "subscriber_count": 483, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762e8da1d130d081e30eb1c", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks | Trend Micro (US)", "description": "Trend Vision One is a comprehensive and comprehensive platform for cybersecurity solutions designed for all sectors, from the healthcare industry to the manufacturing and healthcare sectors. \u00c2\u00a31.5bn in sales worldwide.", "modified": "2025-01-17T15:01:34.109000", "created": "2024-12-18T15:23:06.433000", "tags": [ "apt & targeted attacks", "latest news", "research", "learn", "earth koshchei", "trend micro", "october", "koshchei", "rdp campaign", "vision one", "pyrdp", "trend vision", "threat insights", "august", "alliance", "tools", "stop", "find", "ukraine", "hybrid", "small", "protect", "carriers", "attack", "rogue", "service", "virustotal", "suomi", "indonesia", "rdp" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Netherlands", "Japan", "Australia" ], "malware_families": [ { "id": "RDP", "display_name": "RDP", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Military", "Foreign Affairs", "Diplomatic", "Energy", "Telecom", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761c342090a79dee5f5f2b1", "name": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks | Trend Micro (US)", "description": "This report from Trend Micro analyzes a recent Earth Koshchei, an intrusion set supposedly attributed to Russia\u2019s Foreign Intelligence Service (SVR), campaign that gains initial access through phishing emails containing RDP configuration files. When victims open these files, a connection to a remote RDP server through one of the 193 RDP relays set up by Earth Koshchei is established. Then, the attackers use tools like Cobalt Strike and Metasploit to achieve persistence, lateral movement, and command and control within the target environment. The risks include unauthorized access, data exfiltration, and widespread compromise of systems. To mitigate these risks, cybersecurity professionals should implement multi-factor authentication (MFA) for RDP, restrict outbound RDP connections, monitor for unusual RDP-related prompts or traffic, educate users on identifying phishing attempts, and deploy endpoint detection tools to identify malicious activity and tool usage early in the attack chain.", "modified": "2025-01-16T17:04:57.148000", "created": "2024-12-17T18:30:26.392000", "tags": [ "apt & targeted attacks", "latest news", "research", "learn", "earth koshchei", "trend micro", "october", "koshchei", "rdp campaign", "vision one", "pyrdp", "trend vision", "threat insights", "august", "alliance", "tools", "stop", "find", "ukraine", "hybrid", "small", "protect", "carriers", "attack", "rogue", "service", "virustotal", "suomi", "indonesia", "rdp", "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "ip address", "iam identity", "secure data", "target" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "Earth Koshchei", "targeted_countries": [ "Ukraine", "Netherlands", "Japan", "Australia" ], "malware_families": [ { "id": "RDP", "display_name": "RDP", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Military", "Foreign Affairs", "Diplomatic", "Energy", "Telecom", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 200, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67615d383188177c071ba0bd", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.\nIn a striking display of cyber sophistication, the advanced persistent threat (APT) group Earth Koshchei, also tracked as APT29 or Midnight Blizzard, has been linked to a massive rogue Remote Desktop Protocol (RDP) campaign.", "modified": "2025-01-16T11:03:28.820000", "created": "2024-12-17T11:15:04.830000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761543716a8c034207bba5b", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.", "modified": "2025-01-16T10:03:45.698000", "created": "2024-12-17T10:36:39.668000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761543aba6b311bfb12dcd4", "name": "Hackers Leverage Red Team Tools in RDP Attacks Via TOR & VPN for Data Exfiltration", "description": "Researchers have identified the source of a series of attacks on the Earth Koshchei network, using data stored on a network known as the \"black hole\" or \"white hole\", as well as a number of other sites.", "modified": "2025-01-16T10:03:45.698000", "created": "2024-12-17T10:36:42.448000", "tags": [ "data exchange", "aws secure", "zero trust", "aws iam", "amazon", "identity center", "earth koshchei", "ip address", "iam identity", "secure data", "tools", "rogue", "target" ], "references": [ "https://cybersecuritynews.com/hackers-leverage-red-team-tools-in-rdp-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 187 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "skykick.solutions", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "skykick.solutions", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776233205.8331778 }