2014-11-10 The Darkhotel APT

📃Title: The Darkhotel APT
📅Date: 2014-11-10
🔗References:

• https://securelist.com/the-darkhotel-apt/66779/
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf

🔖Rectifyq Taxonomies:

• relevancy: 🟡 Somewhat Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: somewhat-relevant

🔖MISP Galaxies:

• threat-actor DarkHotel
• target-information=“China”
• target-information=“Germany”
• target-information=“Hong Kong”
• target-information=“India”
• target-information=“Indonesia”
• target-information=“Ireland”
• target-information=“Japan”
• target-information=“Russia”
• target-information=“South Korea”
• target-information=“Taiwan”
• target-information=“United States”
• malpedia=“Nemim”
• malpedia=“Tapaoux”
• producer Kaspersky
• mitre-attack-pattern=[]

MISP event uuid: 6f34d0d4-d39c-42d9-b7d0-ad7c36a49c7e

Indicator of Compromise (IoCs)

type,value,comment
md5, 08e08522066a8cd7b494ca64de46d4f7, 'No sample in VT\r\nLast check:01/03/2025'
md5, 091e4364f50addd6c849f4399a771409, 'No sample in VT\r\nLast check:01/03/2025'
md5, 0cbd04c5432b6bfb29921177749f3015, 'No sample in VT\r\nLast check:01/03/2025'
md5, 1a2e52e5ac18cfe091bb3ac1cb38f050, 'No sample in VT\r\nLast check:01/03/2025'
md5, 21792583ab4a7080ceaf2c31731b883e, 'No sample in VT\r\nLast check:01/03/2025'
md5, 26b34d3df337407c7618f74e9a82eb9f, 'No sample in VT\r\nLast check:01/03/2025'
md5, 31e0788c9c2e16db1ae1002f0dbc837e, 'No sample in VT\r\nLast check:01/03/2025'
md5, 50ac685d25033962e04adc92c8e70785, 'No sample in VT\r\nLast check:01/03/2025'
md5, 6ce73a81f0e4a41ffcf669e6ace29db6, 'No sample in VT\r\nLast check:01/03/2025'
md5, 9ccc7ce97f8ee0cd44d607e688b99eca, 'No sample in VT\r\nLast check:01/03/2025'
md5, a44577e8c77ef3c30749fe6ec2bb55a5, 'No sample in VT\r\nLast check:01/03/2025'
md5, c6cbb4ea6aabf4a58659cd13fa0b024f, 'No sample in VT\r\nLast check:01/03/2025'
md5, c9f95fc8219750b7c47325a0b84e9373, 'No sample in VT\r\nLast check:01/03/2025'
md5, d96babbde694df227a9af4b4b61483b3, 'No sample in VT\r\nLast check:01/03/2025'
md5, e070293d03cd3524e5db9fa4770589a5, 'No sample in VT\r\nLast check:01/03/2025'
md5, e62af1303ed81f1ae69a1c3b1f215d88, 'No sample in VT\r\nLast check:01/03/2025'
md5, cbbfa76cd5ed22a8c53f7f7d117923e5, 'No sample in VT\r\nLast check:01/03/2025'
md5, 4ce790e8438ed3a644984eb24452dd42, 'No sample in VT\r\nLast check:01/03/2025'
md5, 9cdbd5955fc3bf6da5c00e0804b6d6a8, 'No sample in VT\r\nLast check:01/03/2025'
md5, e8bfb82b0dd5cef46116d61f62c25060, 'No sample in VT\r\nLast check:01/03/2025'
md5, 397e492f1f65ed9a3c3edc9c7a938f01, 'No sample in VT\r\nLast check:01/03/2025'
domain, 163pics.net, 'Command and Control'
domain, 163services.com, 'Command and Control'
ip-dst, 180.235.132.99, 'Command and Control'
ip-dst, 203.146.249.178, 'Command and Control'
hostname, 22283.bodis.com, 'Command and Control'
domain, 42world.net, 'Command and Control'
ip-dst, 59.188.31.24, 'Command and Control'
domain, 88dafa.biz, 'Command and Control'
domain, academyhouse.us, 'Command and Control'
hostname, ackr.myvnc.com, 'Command and Control'
domain, acrobatup.com, 'Command and Control'
domain, adobearm.com, 'Command and Control'
domain, adobeplugs.net, 'Command and Control'
hostname, adoberegister.flashserv.net, 'Command and Control'
domain, adobeupdates.com, 'Command and Control'
domain, albasrostga.com, 'Command and Control'
domain, alphacranes.com, 'Command and Control'
domain, alphastros.com, 'Command and Control'
domain, amanity50.biz, 'Command and Control'
domain, anti-wars.org, 'Command and Control'
domain, applyinfo.org, 'Command and Control'
hostname, auto2115.icr38.net, 'Command and Control'
hostname, auto2116.phpnet.us, 'Command and Control'
domain, auto24col.info, 'Command and Control'
hostname, autobaba.net84.net, 'Command and Control'
hostname, autoban.phpnet.us, 'Command and Control'
hostname, autobicy.yaahosting.info, 'Command and Control'
hostname, autobicycle.20x.cc, 'Command and Control'
hostname, autobicycle.freehostking.com, 'Command and Control'
hostname, autobicyyyyyy.50gigs.net, 'Command and Control'
hostname, autoblank.oni.cc, 'Command and Control'
hostname, autobrown.gofreeserve.com, 'Command and Control'
hostname, autocargo.100gbfreehost.com, 'Command and Control'
hostname, autocash.000php.com, 'Command and Control'
hostname, autocashhh.hostmefree.org, 'Command and Control'
hostname, autocaze.crabdance.com, 'Command and Control'
hostname, autocheck.000page.com, 'Command and Control'
hostname, autochecker.myftp.biz, 'Command and Control'
hostname, autocracy.phpnet.us, 'Command and Control'
hostname, autocrat.comuf.com, 'Command and Control'
hostname, autodoor.freebyte.us, 'Command and Control'
hostname, autof888com.20x.cc, 'Command and Control'
hostname, autofseven.freei.me, 'Command and Control'
domain, autogeremys.com, 'Command and Control'
hostname, autoinsurance.000space.com, 'Command and Control'
hostname, autojob.whostas.com, 'Command and Control'
hostname, autoken.scienceontheweb.net, 'Command and Control'
hostname, autolace.twilightparadox.com, 'Command and Control'
hostname, automachine.servequake.com, 'Command and Control'
hostname, automatic.waldennetworks.com, 'Command and Control'
hostname, automation.000a.biz, 'Command and Control'
hostname, automation.icr38.net, 'Command and Control'
hostname, automobile.000a.biz, 'Command and Control'
hostname, automobile.200gigs.com, 'Command and Control'
hostname, automobile.freei.me, 'Command and Control'
hostname, automobile.it.cx, 'Command and Control'
hostname, automobile.megabyet.net, 'Command and Control'
hostname, automobile.x4host.eu, 'Command and Control'
hostname, automobiles.strangled.net, 'Command and Control'
hostname, automotive.20x.cc, 'Command and Control'
hostname, autonomy.host22.com, 'Command and Control'
hostname, autopapa.noads.biz, 'Command and Control'
hostname, autopara.oliwy.net, 'Command and Control'
hostname, autoparts.phpnet.us, 'Command and Control'
hostname, autopatch.createandhost.com, 'Command and Control'
hostname, autopatch.verwalten.ch, 'Command and Control'
hostname, autophile.00free.net, 'Command and Control'
hostname, autopilot.verwalten.ch, 'Command and Control'
hostname, autoplant.byethost11.com, 'Command and Control'
hostname, autopsy.createandhost.com, 'Command and Control'
hostname, autoreviews.dyndns.info, 'Command and Control'
hostname, autorico.ignorelist.com, 'Command and Control'
hostname, autosadeo.000php.com, 'Command and Control'
hostname, autosail.ns01.biz, 'Command and Control'
hostname, autoshop.hostmefree.org, 'Command and Control'
hostname, autostart.waldennetworks.com, 'Command and Control'
hostname, autotest.byethost4.com, 'Command and Control'
hostname, autotree.freebyte.us, 'Command and Control'
hostname, autoup.eu.pn, 'Command and Control'
hostname, autoupdafree.my5gigs.com, 'Command and Control'
hostname, autoupdate.eg.vg, 'Command and Control'
hostname, autoupdate.freehostia.com, 'Command and Control'
hostname, autoupdate.megabyet.net, 'Command and Control'
hostname, autoupdate.zoka.cc, 'Command and Control'
hostname, autoupdatefree.freehostia.com, 'Command and Control'
hostname, autoupdatefree.verwalten.ch, 'Command and Control'
hostname, autoupdatefree.waldennetworks.com, 'Command and Control'
hostname, autoupdatefree.zoka.cc, 'Command and Control'
hostname, autoupdatefreee.my5gigs.com, 'Command and Control'
hostname, autoupdates.5gigs.net, 'Command and Control'
hostname, autoupdatfreeee.coolwwweb.com, 'Command and Control'
hostname, autoupgrade.awardspace.biz, 'Command and Control'
hostname, autovita.xtreemhost.com, 'Command and Control'
hostname, autovonmanstein.x10.mx, 'Command and Control'
hostname, autoworld.serveblog.net, 'Command and Control'
hostname, autozone.000space.com, 'Command and Control'
domain, begatrendsone.com, 'Command and Control'
domain, begatrials.com, 'Command and Control'
domain, bizannounce.com, 'Command and Control'
hostname, blonze.createandhost.com, 'Command and Control'
hostname, bluecat.biz.nf, 'Command and Control'
hostname, bluemagazines.servegame.com, 'Command and Control'
hostname, bokselpa.dasfree.com, 'Command and Control'
domain, checkingvirusscan.com, 'Command and Control'
hostname, clus89.crabdance.com, 'Command and Control'
hostname, codec.servepics.com, 'Command and Control'
hostname, control.wrizx.net, 'Command and Control'
hostname, cranseme.ignorelist.com, 'Command and Control'
hostname, crazymand.twilightparadox.com, 'Command and Control'
hostname, crendesting.strangled.net, 'Command and Control'
hostname, dailybread.waldennetworks.com, 'Command and Control'
domain, dailyissue.net, 'Command and Control'
hostname, dailynews.000page.com, 'Command and Control'
domain, dailypatch-rnr2008.net, 'Command and Control'
domain, dailysummary.net, 'Command and Control'
hostname, dailyupdate.110mb.com, 'Command and Control'
domain, domainmanagemenet.com, 'Command and Control'
hostname, donatewa.phpnet.us, 'Command and Control'
hostname, downsw.onlinewebshop.net, 'Command and Control'
hostname, dpc.servegame.com, 'Command and Control'
domain, ds505cam.com, 'Command and Control'
domain, ebizcentres.com, 'Command and Control'
domain, elibrarycentre.com, 'Command and Control'
hostname, err.cloins.com, 'Command and Control'
domain, eztwt.com, 'Command and Control'
hostname, fame.mooo.com, 'Command and Control'
hostname, fashions.0fees.net, 'Command and Control'
hostname, fenraw.northgeremy.info, 'Command and Control'
hostname, fenrix.yaahosting.info, 'Command and Control'
hostname, fenrmi.eu.pn, 'Command and Control'
domain, foreignaffair.org, 'Command and Control'
hostname, gamepia008.my5gigs.com, 'Command and Control'
hostname, genelousmanis.phpnet.us, 'Command and Control'
domain, generalemountina.com, 'Command and Control'
hostname, genuinsman.phpnet.us, 'Command and Control'
domain, gigahermes.com, 'Command and Control'
hostname, gigamiros.zyns.com, 'Command and Control'
hostname, gigathread.itemdb.com, 'Command and Control'
domain, gigatrend.org, 'Command and Control'
hostname, giveaway.6te.net, 'Command and Control'
domain, goathoney.biz, 'Command and Control'
hostname, goizmi.ignorelist.com, 'Command and Control'
hostname, goizmi.phpnet.us, 'Command and Control'
hostname, goldblacktree.waldennetworks.com, 'Command and Control'
hostname, gphpnet.phpnet.us, 'Command and Control'
domain, greatechangemind.com, 'Command and Control'
hostname, greenlabelstud.000space.com, 'Command and Control'
hostname, gurunichi.createandhost.com, 'Command and Control'
hostname, halemdus.000space.com, 'Command and Control'
domain, heinzmarket.com, 'Command and Control'
hostname, hotemup.icr38.net, 'Command and Control'
domain, humanforum.net, 'Command and Control'
domain, hummfoundation.org, 'Command and Control'
hostname, individuals.sytes.net, 'Command and Control'
domain, infonetworks.biz, 'Command and Control'
domain, innewsmessenger.com, 'Command and Control'
hostname, jackie311.byethost16.com, 'Command and Control'
hostname, jandas.byethost7.com, 'Command and Control'
hostname, javaupdate.flashserv.net, 'Command and Control'
hostname, jonejokoss.byethost6.com, 'Command and Control'
hostname, jonemaccane1.byethost7.com, 'Command and Control'
domain, jpnspts.biz, 'Command and Control'
domain, jpqueen.biz, 'Command and Control'
hostname, kaoal.chickenkiller.com, 'Command and Control'
domain, laborsforum.org, 'Command and Control'
hostname, lakers.jumpingcrab.com, 'Command and Control'
hostname, limited.000space.com, 'Command and Control'
hostname, lookasjames.000space.com, 'Command and Control'
domain, mansgepitostraig.com, 'Command and Control'
domain, mechanicalcomfort.net, 'Command and Control'
hostname, microalba.serveftp.com, 'Command and Control'
hostname, microblo5.mooo.com, 'Command and Control'
hostname, microbrownys.strangled.net, 'Command and Control'
hostname, microchiefs.twilightparadox.com, 'Command and Control'
hostname, microchisk.mooo.com, 'Command and Control'
hostname, microchsse.strangled.net, 'Command and Control'
hostname, microdelta.crabdance.com, 'Command and Control'
hostname, microgenuinsman.servebeer.com, 'Command and Control'
hostname, microjonjokoss.jumpingcrab.com, 'Command and Control'
hostname, microlilics.000space.com, 'Command and Control'
hostname, microlilics.crabdance.com, 'Command and Control'
domain, micromacrarusn.com, 'Command and Control'
domain, micromacs.org, 'Command and Control'
hostname, micromichi.ezua.com, 'Command and Control'
domain, micromps1.net, 'Command and Control'
hostname, micronames.jumpingcrab.com, 'Command and Control'
hostname, micronao.hopto.org, 'Command and Control'
hostname, micronaoko.jumpingcrab.com, 'Command and Control'
hostname, microos.jumpingcrab.com, 'Command and Control'
hostname, microplants.strangled.net, 'Command and Control'
domain, microsoft-xpupdate.com, 'Command and Control'
hostname, microyours.ignorelist.com, 'Command and Control'
domain, minshatopas12.org, 'Command and Control'
domain, msdn4updates.com, 'Command and Control'
domain, mshotfix.com, 'Command and Control'
domain, msupdates.com, 'Command and Control'
hostname, myhome.serveuser.com, 'Command and Control'
hostname, myphone.freei.me, 'Command and Control'
domain, nanogalsman.org, 'Command and Control'
domain, nanomicsoft.com, 'Command and Control'
domain, nanoocspos.com, 'Command and Control'
domain, nanosleepss.net, 'Command and Control'
hostname, ncnbroadcasting.reportinside.net, 'Command and Control'
domain, neao.biz, 'Command and Control'
domain, neosilba.com, 'Command and Control'
hostname, new.freecinemaworld.net, 'Command and Control'
hostname, new.islamicawaken.com, 'Command and Control'
domain, newsagencypool.com, 'Command and Control'
domain, newsdailyinhk.com, 'Command and Control'
hostname, newsups.000a.biz, 'Command and Control'
hostname, nokasblog.agilityhoster.com, 'Command and Control'
domain, office-revision.com, 'Command and Control'
hostname, online.usean.biz, 'Command and Control'
domain, outlookz.com, 'Command and Control'
hostname, pb.enewslive.org, 'Command and Control'
hostname, pb.qocp.net, 'Command and Control'
hostname, pb.upinfo.biz, 'Command and Control'
hostname, photo.eonlineworld.com, 'Command and Control'
hostname, popin.0fees.net, 'Command and Control'
hostname, private.neao.biz, 'Command and Control'
domain, proteingainer.biz, 'Command and Control'
hostname, rainbowbbs.mywebcommunity.org, 'Command and Control'
domain, rayp.biz, 'Command and Control'
hostname, re.policyforums.org, 'Command and Control'
hostname, redblacksleep.createandhost.com, 'Command and Control'
hostname, redlooksman.servehttp.com, 'Command and Control'
domain, reportinshop.com, 'Command and Control'
domain, reportinside.net, 'Command and Control'
hostname, rootca.000space.com, 'Command and Control'
hostname, sales.eu5.org, 'Command and Control'
domain, secureonline.net, 'Command and Control'
domain, self-makeups.com, 'Command and Control'
domain, self-makingups.com, 'Command and Control'
domain, sellingconnection.org, 'Command and Control'
hostname, sens.humanforum.net, 'Command and Control'
domain, shndia.com, 'Command and Control'
hostname, silverbell.000space.com, 'Command and Control'
hostname, sipapals.servehalflife.com, 'Command and Control'
domain, smartappactiv.com, 'Command and Control'
hostname, smartnewup.crabdance.com, 'Command and Control'
domain, sourcecodecenter.org, 'Command and Control'
domain, spotnews.com, 'Command and Control'
hostname, st.cloins.com, 'Command and Control'
hostname, stloelementry.200gigs.com, 'Command and Control'
hostname, students.serveblog.net, 'Command and Control'
hostname, terryblog.110mb.com, 'Command and Control'
hostname, thenewesthta.mypressonline.com, 'Command and Control'
hostname, thirdbase.bugs3.com, 'Command and Control'
domain, todaynewscentre.net, 'Command and Control'
domain, trade-inf.com, 'Command and Control'
hostname, unknown12.ignorelist.com, 'Command and Control'
hostname, updaairpush.ignorelist.com, 'Command and Control'
hostname, updaily.biz.nf, 'Command and Control'
hostname, updaily.phpnet.us, 'Command and Control'
hostname, updaisin.net16.net, 'Command and Control'
hostname, updalsim.freehostee.com, 'Command and Control'
hostname, updarling.000a.biz, 'Command and Control'
hostname, updatable.20x.cc, 'Command and Control'
hostname, updateall.000a.biz, 'Command and Control'
domain, updatecache.net, 'Command and Control'
hostname, updatefast.000a.biz, 'Command and Control'
hostname, updateiphone.20x.cc, 'Command and Control'
hostname, updateitunes.waldennetworks.com, 'Command and Control'
hostname, updatejava.megabyet.net, 'Command and Control'
hostname, updatepatch.icr38.net, 'Command and Control'
hostname, updateschedule.verwalten.ch, 'Command and Control'
hostname, updatesw.110mb.com, 'Command and Control'
hostname, updatesw.zoka.cc, 'Command and Control'
hostname, updatewell.freebyte.us, 'Command and Control'
hostname, updatewifis.dyndns-wiki.com, 'Command and Control'
hostname, updauganda.waldennetworks.com, 'Command and Control'
hostname, updawn4you.net84.net, 'Command and Control'
hostname, upgrade77.steadywebs.com, 'Command and Control'
hostname, video.humorme.info, 'Command and Control'
domain, voicemailz.net, 'Command and Control'
hostname, wein.isgreat.org, 'Command and Control'
domain, windowservices.net, 'Command and Control'
hostname, world.issuetoday.net, 'Command and Control'
hostname, world.uktimesnews.com, 'Command and Control'
hostname, wowhome.byethost8.com, 'Command and Control'
hostname, ww42.200gigs.com, 'Command and Control'
hostname, www.appfreetools.com, 'Command and Control'
hostname, www.digitalimagestudy.com, 'Command and Control'
hostname, www.imggoogle.com, 'Command and Control'
hostname, www.info-cache.net, 'Command and Control'
hostname, www.mobilitysvc.com, 'Command and Control'
hostname, www.neosilba.com, 'Command and Control'
hostname, www.newsupdates.org, 'Command and Control'
hostname, www.serveblog.net, 'Command and Control'
hostname, www.singlehost.org, 'Command and Control'
hostname, www.smartnewup.com, 'Command and Control'
hostname, www.sqlengine.net, 'Command and Control'
hostname, www.strangled.net, 'Command and Control'
hostname, www.universalonline.com, 'Command and Control'
hostname, www.win7smartupdate.com, 'Command and Control'
domain, yahooservice.biz, 'Command and Control'
hostname, yellowleos.phpnet.us, 'Command and Control'
domain, ypiz.net, 'Command and Control'

Full IOCs available in Rectifyq's MISP```