Rectifyq📃Title: RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
📅Date: 2023-08-08
🔗References:
- https://www.recordedfuture.com/research/redhotel-a-prolific-chinese-state-sponsored-group-operating-at-a-global-scale
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Recorded-Future
- threat-actor Earth-Lusca
- malpedia=“Brute Ratel C4”
- malpedia=“Cobalt Strike”
- malpedia=“FunnySwitch”
- malpedia=“Spyder”
- malpedia=“Winnti (Windows)”
- country=“china”
- malpedia=“PlugX”
- malpedia=“ShadowPad”
- malpedia=“reGeorg”
- mitre-attack-pattern=[‘T1553.002’, ‘T1574.001’, ‘T1140’, ‘T1583.001’, ‘T1041’, ‘T1190’, ‘T1090.002’, ‘T1036.005’, ‘T1027’, ‘T1547.001’, ‘T1053.005’, ‘T1584.004’, ‘T1566.001’, ‘T1583.003’, ‘T1595.002’, ‘T1071.001’, ‘T1505.003’]
MISP event uuid: cdc792d9-86a4-4f7c-8ac2-e0ab2a37d5cd
Indicator of Compromise (IoCs)
type,value,comment
domain, dga.asia, ''
hostname, kb.dga.asia, ''
hostname, video.dga.asia, ''
hostname, sc.dga.asia, ''
hostname, dgti.dga.asia, ''
domain, nhqdc.com, ''
hostname, msdn.microsoft.nhqdc.com, ''
domain, icoreemail.com, ''
hostname, demo.icoreemail.com, ''
domain, officesuport.com, ''
hostname, kiwi.officesuport.com, ''
hostname, cdn.officesuport.com, ''
hostname, test.officesuport.com, ''
hostname, mail.officesuport.com, ''
hostname, ntpc.officesuport.com, ''
hostname, main.officesuport.com, ''
hostname, excel.officesuport.com, ''
hostname, remote.officesuport.com, ''
domain, ismtrsn.club, ''
hostname, lrm.ismtrsn.club, ''
hostname, tgoomh.ismtrsn.club, ''
hostname, news.ismtrsn.club, ''
hostname, icarln.ismtrsn.club, ''
domain, liveonlin.com, ''
hostname, npgsql.liveonlin.com, ''
hostname, public.liveonlin.com, ''
hostname, tech.liveonlin.com, ''
hostname, main.liveonlin.com, ''
hostname, cctv.liveonlin.com, ''
domain, alexa-api.com, ''
hostname, www.alexa-api.com, ''
domain, ngndc.com, ''
hostname, air.ngndc.com, ''
hostname, spa.ngndc.com, ''
hostname, mkn.ngndc.com, ''
domain, ekaldhfl.club, ''
hostname, ts.ekaldhfl.club, ''
hostname, ist.ekaldhfl.club, ''
hostname, downloads.ekaldhfl.club, ''
hostname, pps.ekaldhfl.club, ''
hostname, plt.ekaldhfl.club, ''
hostname, tlt.ekaldhfl.club, ''
hostname, thy.ekaldhfl.club, ''
hostname, us.ekaldhfl.club, ''
domain, asia-cdn.asia, ''
hostname, report.asia-cdn.asia, ''
domain, freehighways.com, ''
hostname, map.freehighways.com, ''
domain, iredemail.com, ''
hostname, index.iredemail.com, ''
hostname, demo.iredemail.com, ''
hostname, open.iredemail.com, ''
hostname, api.iredemail.com, ''
hostname, full.iredemail.com, ''
hostname, bbs.iredemail.com, ''
domain, 0nenote.com, ''
hostname, keep.0nenote.com, ''
hostname, api.asia-cdn.asia, ''
hostname, speedtest.asia-cdn.asia, ''
domain, cyberoams.com, ''
hostname, checkip.cyberoams.com, ''
hostname, usa.ekaldhfl.club, ''
domain, mtlklabs.co, ''
domain, conhostsadas.website, ''
domain, itcom666.live, ''
hostname, qbxlwr4nkq.itcom666.live, ''
hostname, 8kmobvy5o.itcom666.live, ''
domain, itcom888.live, ''
hostname, bwlgrafana.itcom888.live, ''
hostname, itsm-uat-app.itcom888.live, ''
hostname, dkxvb0mf.itcom888.live, ''
hostname, nvw3tdetwx.itcom888.live, ''
hostname, 0j10u9wi.itcom888.live, ''
hostname, yt-sslvpn.itcom888.live, ''
hostname, vappvcsa.itcom888.live, ''
hostname, 94ceaugp.itcom888.live, ''
domain, sibersystems.xyz, ''
hostname, fyalluw0.sibersystems.xyz, ''
hostname, sijqlfnbes.sibersystems.xyz, ''
hostname, jmz8xhxen3.sibersystems.xyz, ''
hostname, 2h3cvvhgtf.sibersystems.xyz, ''
hostname, 3tgdtyfpt9.sibersystems.xyz, ''
hostname, n71qtqemam.sibersystems.xyz, ''
hostname, 711zm77cwq.sibersystems.xyz, ''
hostname, r77wu4s847.sibersystems.xyz, ''
domain, caamanitoba.us, ''
hostname, jw7uvtodx4.caamanitoba.us, ''
hostname, xdryqrbe.caamanitoba.us, ''
hostname, b1k10pk9.caamanitoba.us, ''
hostname, 6hi6m62bzp.caamanitoba.us, ''
domain, livehost.live, ''
hostname, sci.livehost.live, ''
ip-dst, 1.13.82.101, 'C2'
ip-dst, 5.188.33.188, 'C2'
ip-dst, 5.188.33.254, 'C2'
ip-dst, 5.188.34.164, 'C2'
ip-dst, 5.188.34.173, 'C2'
ip-dst, 38.54.16.131, 'C2'
ip-dst, 38.54.16.179, 'C2'
ip-dst, 38.60.199.87, 'C2'
ip-dst, 38.60.199.208, 'C2'
ip-dst, 45.76.186.26, 'C2'
ip-dst, 45.77.153.197, 'C2'
ip-dst, 61.238.103.165, 'C2'
ip-dst, 64.227.132.226, 'C2'
ip-dst, 92.38.169.222, 'C2'
ip-dst, 92.38.176.128, 'C2'
ip-dst, 92.38.178.40, 'C2'
ip-dst, 92.38.178.60, 'C2'
ip-dst, 92.223.90.133, 'C2'
ip-dst, 95.85.91.50, 'C2'
ip-dst, 103.140.239.41, 'C2'
ip-dst, 103.157.142.95, 'C2'
ip-dst, 108.61.158.179, 'C2'
ip-dst, 139.180.193.182, 'C2'
Full IOCs available in Rectifyq's MISP```