# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: CloudFall

# Note: something is wrong with the connection between cloud atlas and red october (https://securelist.com/recent-cloud-atlas-activity/92016/)

# Reference: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

webdav.cloudme.com/bimm4276/CloudDrive/

# Reference: https://securelist.com/recent-cloud-atlas-activity/92016/
# Reference: https://otx.alienvault.com/pulse/5d5176f09f3f84634e1f0227

http://144.217.174.57
http://176.31.59.232

# Reference: https://twitter.com/Vishnyak0v/status/1197402642651193345

newoffice-template.com

# Reference: https://twitter.com/jfslowik/status/1340352860274393088
# Reference: https://twitter.com/ShadowChasing1/status/1359127027438112773
# Reference: https://www.virustotal.com/gui/file/21ff553d752df93e10e45d0393eb097d5231346737e786ab8ad41324c299342a/detection

ms-officeupdate.com

# Reference: https://twitter.com/kyleehmke/status/1359531943252140040
# Reference: https://twitter.com/ShadowChasing1/status/1362359220046192640
# Reference: https://www.virustotal.com/gui/file/46c203cf15a4126f10b3933376215063fe385aba3be971d63fc4e7be34aaf171/detection

ms-update.org

# Reference: https://twitter.com/jfslowik/status/1363255047929294853

eurasia-research.org
ms-template.com

# Reference: https://twitter.com/h2jazi/status/1363918659534659587
# Reference: https://www.virustotal.com/gui/file/668236000a483b1735b7f8e244ae867804ee20fbd18e07860d1764a30e3ba60d/detection

http://139.60.161.74/appalcanedentrecentlyconvergenting.png
http://217.182.9.185/appalcanedentrecentlyconvergenting.png

# Reference: https://twitter.com/ShadowChasing1/status/1364435382683668484
# Reference: https://www.virustotal.com/gui/file/439032cbee22ae75cce7e2340ca7ffe521dce3e18702ccd703cc5849dbf8954b/detection

/referential5refugee0douglas4modulate5trio7

# Reference: https://twitter.com/ShadowChasing1/status/1364436330894135297
# Reference: https://www.virustotal.com/gui/file/4011b1fff8c088fcb4ac4a05a5a156912162293bbda8147597a41e09725b3ebf/detection

/validate7condom7rapids9simoom9

# Reference: https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas

http://139.60.161.74/appalcanedentrecentlyconvergenting.png
http://185.70.184.32/soarnegroidmeanalkydapresowntipslushing.png

# Reference: https://twitter.com/kyleehmke/status/1366796835541684224

ms-officeupdate.org

# Reference: https://twitter.com/ShadowChasing1/status/1391788670349287425
# Reference: https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify
# Reference: https://otx.alienvault.com/pulse/5fb8172cdb6535bd6935bfd6
# Reference: https://www.virustotal.com/gui/file/e5b76a3ec4c9b0a42ec953022b5d64f61e7cd64f78ea0cb7170b7882ffb180b6/detection

2020-windows.com
azureblog.info
brexitimpact.com
doc-fid.com
e-government-pk.com
e-govoffice.com
get-news-online.com
gmocloudhosting.com
interior-gov.com
iphoneupdatecheck.com
live-media.org
liveinfo.org
log1inbox.com
ms-check-new-update.com
msofficeupdate.com
msofficeupdate.org
msupdatecheck.com
netserviceupdater.com
new-office.org
newoffice-template.com
newoffice-update.com
newupdate.org
officeupgrade.org
petronas-me.com
rarnbler.com
rneil.ru
srv3-serveup-ads.net
template-new.com
template-office.org
tls-login.com
update-office.com
upgrade-office.com
upgrade-office.org
user-twitter.com
weather-server.net

# Reference: https://twitter.com/h2jazi/status/1453748348964548617
# Reference: https://www.virustotal.com/gui/file/9e23a08981ae336068905c771754f7ea26b19d3d978b1bd554a4202a165b3072/detection

checklicensekey.com

# Reference: https://twitter.com/ShadowChasing1/status/1469145795723071492
# Reference: https://twitter.com/ShadowChasing1/status/1468924565653159942
# Reference: https://www.virustotal.com/gui/ip-address/185.117.91.175/relations
# Reference: https://www.virustotal.com/gui/file/309ba0a33ecf3e123bc3e539a5443b5b633a135c3fc44fd0941d520fee39afb1/detection
# Reference: https://www.virustotal.com/gui/file/60e9222f464cc99014a909ca4548cf38b20c7a5bbd80714dfd95ce89842be7db/detection

msdocumentviever.com

# Reference: https://www.zscaler.com/blogs/security-research/cloudfall-targets-researchers-and-scientists-invited-international-military
# Reference: https://www.virustotal.com/gui/file/d911e17b3628471713adeac2c86ad429d4e873dacfa13a10ed9a316c49ed63b0/detection

advancestore.workers.dev
dc-microsoft.workers.dev
digitalstorage.workers.dev
fetrikekke531.workers.dev
jerkufetra754.workers.dev
microsoft-365.workers.dev
microsoft-cloud.workers.dev
office365online.workers.dev
office365-cloud.workers.dev
publicserver.workers.dev
repository.workers.dev
api.office365online.workers.dev
asia.office365-cloud.workers.dev
cloud.digitalstorage.workers.dev
curly-waterfall-360d.fetrikekke531.workers.dev
documents.publicserver.workers.dev
eu.microsoft-365.workers.dev
falling-haze-1812.jerkufetra754.workers.dev
falling-haze-1813.jerkufetra754.workers.dev
mirror.advancestore.workers.dev
office365.dc-microsoft.workers.dev
office365.microsoft-cloud.workers.dev
plug.repository.workers.dev
virustotall-360d.fetrikekke531.workers.dev

# Reference: https://twitter.com/h2jazi/status/1592158351475240962
# Reference: https://www.virustotal.com/gui/file/b1a2eb532c461ff2faa4ec9edf44d2ef5678ee1a84a8779866ad64fa8b52065e/detection
# Reference: https://www.virustotal.com/gui/file/8217e38b3dba43d88b397aa0de945eba2efa5884a98b127fd611e426091e56f5/detection
# Reference: https://www.virustotal.com/gui/file/1b3a85d596d65e0101eeddd539cec587fec4ca3b7c08469712c3964f8202a39e/detection
# Reference: https://www.virustotal.com/gui/file/12f9dcdfea0520436e8c5749fbefedc7675e74b73c97a1bcaf1ecce64f12ed19/detection

protocol-list.com
/shab/haftarot/s
/shab/haftarot/

# Reference: https://twitter.com/h2jazi/status/1595787712996556800
# Reference: https://www.virustotal.com/gui/file/186289754f499c26aa66f9305f792ae4a85a9b9946bc5b4dcbb9eeb1632709cd/detection

remote-convert.com
/Access/acrydium/osteectomies
/Access/acrydium/

# Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/

api-help.com
comparelicense.com
driver-updated.com
mynewtemplate.com
new-template.com
sync-firewall.com
system-logs.com
technology-requests.net
translate-news.net

# Reference: https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/

desktoppreview.com
driversolution.net
gettemplate.org
support-app.net

# Reference: https://twitter.com/felixaime/status/1601257303080308739
# Reference: https://twitter.com/felixaime/status/1601257305294921728

driver-key.com
microsoftsample.com
reload-config.com
safety-key.org
web-digest.com

# Reference: https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/
# Reference: https://www.virustotal.com/gui/ip-address/192.153.57.83/relations
# Reference: https://www.virustotal.com/gui/ip-address/91.210.104.54/relations
# Reference: https://www.virustotal.com/gui/file/12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a/detection
# Reference: https://www.virustotal.com/gui/file/cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541/detection
# Reference: https://www.virustotal.com/gui/file/ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d/detection

168.100.11.142:443
fatobara.com
microsftupdetes.com
mirror-exchange.com
rostec.digital
windowsipdate.com

# Generic

/appalcanedentrecentlyconvergenting.png
/azure6steeps4sneaker2wow5herpes0him6fawn9octree5
/politic8stylist1stultification8sadomasochism2
/soarnegroidmeanalkydapresowntipslushing.png
/validate7condom7rapids9simoom9
/veal3reveal0bask6goodby9gust6legitimate6wiliness1
