Trusted Design

RATs from the Underground

概要

In this third part of Unit 42’s Cybercrime Underground blog series, we’re taking a slightly different approach. In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them. The malware we observed on this infrastructure was almost uniquely commodity RATs including DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT, and HWorm.

Created: 2026-02-23

Indicators

• hostname - nullbyte.duckdns.org -
• hostname - weareprometheus.tinydns.xyz -
• hostname - kromosho.sytes.net -
• YARA - 96b57078fb40bd776667d104a6b55f43d8b80492 -
• hostname - onye-nna.ddns.net -
• hostname - wezeen578.fishdns.com -
• hostname - sp00ky.myftp.biz -
• hostname - network.systemsecurity.cf -
• YARA - 3d0da0f3fe4465c8c8bed7e5a18e1ea34cf0dd98 -
• hostname - chathanz.dynu.com -
• hostname - deymoss.duckdns.org -
• hostname - jmcoru.ddns.net -
• YARA - a2889d673bf0219abf8e30e7ecf441ac567fa1ce -
• hostname - gnu.linuxrepository.xyz -
• FileHash-SHA1 - 798e9f43fc199269a3ec68980eb4d91eb195436d -
• hostname - dust.amxdust.xyz -
• hostname - home.maddiewang.com -
• hostname - angelman.no-ip.org -
• hostname - kraken28.myz.info -
• hostname - localservice.ddns.net -
• hostname - daniyel.zapto.org -
• YARA - 7850ec4e25d8224b406a80396aa776ca6f5f94c4 -
• hostname - iamawesome.freedns.tech -
• hostname - district9.fishdns.com -
• hostname - xuofmx.dankdns.xyz -
• hostname - zixsnzcvz.dynapoint.pw -
• hostname - ayyyyyy.chickenkiller.com -
• domain - airzwcv.xyz -
• hostname - jointish.ddns.net -
• hostname - jmcoru2.fagdns.com -
• hostname - cleinttwelve.ddns.net -
• hostname - owner2016.zapto.org -
• hostname - layziebone009.ddns.net -
• YARA - 84cad77dc1fec907643532176a1f05bb5e1878b3 -
• hostname - k3k3rekt.duckdns.org -
• hostname - luminost.freedns.tech -
• hostname - freelaser.no-ip.org -
• YARA - 307478d6f0580c9f7076541806b753cce83bfadb -
• domain - wordwrap.pw -
• YARA - 518de1abe4c47aa01e5110b00a1f6c659b61ffad -
• hostname - lmaobox.csgoblock.com -
• hostname - ookey.linkpc.net -
• hostname - hehehe.no-ip.info -
• YARA - ba078c8a0291ac1fcc2f859591120a7a4bce105c -
• domain - blogmus.cf -
• hostname - hellolightness.ddns.net -
• hostname - fizipop.freedns.tech -
• hostname - cleintten.no-ip.biz -
• hostname - kelbhie.duckdns.org -
• hostname - csgos.freedns.tech -
• hostname - justdiehood.fishdns.com -
• hostname - akaros79.no-ip.biz -
• hostname - triplekmafia.duckdns.org -
• domain - latehost.net -
• hostname - kinval456.ddns.net -
• hostname - xuofmx.alcatelupd.xyz -
• hostname - it-milano.ra4wvpn.com -
• domain - jmcoru.com -
• hostname - aixzvcxvnz.fagdns.com -
• hostname - aminzzzzz.no-ip.biz -
• YARA - 7502d2b4e7235d836074baf2c048431ddda0f105 -
• hostname - zarasrl2016.ddns.net -
• hostname - eagleeyenike.dankdns.xyz -
• hostname - seekingpvp101.duckdns.org -
• YARA - 0d5588ac9a86c4d873f34ba82a9fd583b62f38ce -
• hostname - stomedykira.freedns.tech -
• hostname - mobutu4spirit.hopto.org -
• hostname - cleintten101.no-ip.biz -
• hostname - googledoc.duckdns.org -
• hostname - blogpiu.sytes.net -
• YARA - 09e1f8897d2815ec74a075761d091890e1935437 -
• hostname - letsgopeople.fagdns.com -
• hostname - zealservice.ddns.net -
• hostname - droidnuuuu.chickenkiller.com -
• hostname - league.runescape.csgo.siliconrouting.pw -
• hostname - grovt.duckdns.org -
• hostname - quadratic.nullroute.pw -
• domain - katarepaa.tk -
• hostname - intexylo.ddns.net -
• hostname - soycraft2.duia.pw -
• hostname - fbstatic.duckdns.org -
• hostname - hutlerplek.duckdns.org -
• hostname - c329.duckdns.org -
• hostname - logicistheman.freedns.tech -
• hostname - a4ti3ec5089.no-ip.info -
• hostname - putty123.ignorelist.com -
• hostname - credithax0r.bounceme.net -
• hostname - vivekhaxor007.ddns.net -
• hostname - softwareoutlet.myftp.biz -
• hostname - jmcoru2.appleupdate.xyz -
• hostname - eth0s123.ddns.net -
• hostname - shinezz.duckdns.org -
• YARA - 3fd90296fd4d3cd1acc259ac665df572b8dba1df -
• YARA - 8e0dc74a720a69328221bdd508dd5a14f0eda186 -
• hostname - z33k1337.mooo.com -
• hostname - cleintten.duckdns.org -
• hostname - jluxi.dynu.com -
• hostname - de-frankfurt.ra4wvpn.com -
• YARA - 4c3a720bb8bd269c278874d0d3363e796f4b64cc -
• hostname - jihanenouhaila.ddns.net -
• hostname - devteam.ddns.net -
• hostname - duckyforyou22.dynu.com -
• hostname - indablood.chickenkiller.com -
• hostname - justicebro.linkpc.net -
• hostname - skinscats.duckdns.org -
• hostname - amanghacker123.no-ip.biz -
• YARA - d5195c33ff51d6eefc402dc29b4a511e26408dcc -
• hostname - rattingskid.duckdns.org -
• hostname - bfbackup.baepaws.ru -
• hostname - csgodoubleee.csgoblock.com -
• hostname - machination.dynu.com -
• hostname - nn12.fishdns.com -
• hostname - l33twizard.duckdns.org -
• hostname - thyshallascend.tinydns.tech -
• hostname - salty1.ddns.net -
• hostname - timelogs.freedns.su -
• hostname - danrarkelenter.fishdns.com -
• hostname - pabloescobar.freedns.su -
• hostname - identitytealeaf.chickenkiller.com -
• hostname - iufgaj.hopto.org -
• hostname - ra4rro1.dynamicdns.science -
• hostname - lmaobox.systemsecurity.cf -
• hostname - machination.duia.in -
• domain - fagdns.su -
• YARA - ab75e8252ed6d54d7928e28775e3ef1b6f90bef4 -
• hostname - matoxenoon.freedns.tech -
• hostname - nn12.fagdns.com -
• hostname - machination.xresurrection.xyz -
• hostname - upman.ddns.net -
• hostname - game.mruni.club -
• hostname - emekau2002.ddns.net -
• YARA - 42701fa4b172ffe3d3bcaeebe09c3df36ac27940 -
• hostname - amangkirkuki12.ddns.net -
• hostname - audioadapter.fishdns.com -
• hostname - hurensohn52.ddns.net -
• hostname - www.argenta.be.avsbe.eu -
• YARA - 3b24f6d7b82ccb77bcf8182b2e8f427e4d72b1a3 -
• hostname - jmcoru.appleupdate.xyz -
• hostname - blackjack.alcatelupd.xyz -
• hostname - sphiinxballert.gotdns.ch -
• hostname - dellboy22.couchpotatofries.org -
• hostname - indablood.ignorelist.com -
• hostname - updatechecker.myftp.biz -
• hostname - childofthecorn.freedns.su -
• hostname - babybabyratta.csgoblock.com -
• hostname - dangermm.no-ip.biz -
• hostname - peet11.crabdance.com -
• domain - pm2bitcoin.com -
• hostname - rektscrubsomg.dynamicdns.science -
• hostname - gloryhour.no-ip.biz -
• domain - dettar.xyz -
• YARA - 54fc09814315d10f287c5f50d795ae6597cfce07 -
• hostname - www.bnpparibasfortis.be.avsbe.eu -
• hostname - cool.freedns.tech -
• hostname - justice.linkpc.net -
• hostname - rkoertig.jumpingcrab.com -
• hostname - cyber.freedns.su -
• hostname - spot.utopian.xyz -
• hostname - omgrektomgrekt.ignorelist.com -
• YARA - dc2a15f52e30b5b928f5bc03f16bd87890cc46be -
• hostname - omer16.no-ip.biz -
• hostname - machination.xinvasion.xyz -
• hostname - swaggedout.duckdns.org -
• hostname - supremeisgay.ns0.it -
• hostname - xcrew.crabdance.com -
• hostname - loverat.porn60s.com -
• hostname - hujscsrs.servehalflife.com -
• hostname - xgcfvgbhj.ddns.net -
• hostname - mcfunny146.fishdns.com -
• YARA - d78636ca00308bb383eae66b8d8d1b678424fd44 -
• hostname - seperatemyself.dramacenter.xyz -
• hostname - insanitypks.chickenkiller.com -
• domain - vulpexfucker.de -
• hostname - kefero.chickenkiller.com -
• domain - secure-mail.xyz -
• hostname - getversionid.myftp.org -
• hostname - crazypkss.chickenkiller.com -
• hostname - cool.securenetwork.host -
• hostname - manbks123.ddns.net -
• hostname - mocklngblrd.freedns.su -
• hostname - seekingpvp13.ddns.net -
• hostname - goodperson.freedns.tech -
• hostname - dellboy12.ditchyourip.com -
• hostname - machination.fishdns.com -
• hostname - loudpack101.ddns.net -
• YARA - 51bbcb91fc1125efbbb9e42f3d19c8ab0511d77d -
• hostname - game.vilniusmail.co -
• YARA - 7a91f7c2ae6b51a0e0378164c422948535c49aaf -
• hostname - carlos1388.ddns.net -
• hostname - www.ing.nl.fbbsbe.eu -
• hostname - getpoopedonkid.freedns.tech -
• hostname - uzoowalter.duckdns.org -
• hostname - cool.londonstresser.uk -
• hostname - jmcoru.fagdns.com -
• hostname - mathew79.no-ip.biz -
• hostname - phazeonrunescape.no-ip.org -
• hostname - cozyboys.dankdns.xyz -
• hostname - poker.whizwhener.ru -
• domain - mickaelworldpictures.xyz -
• hostname - krookodilezombie.duckdns.org -
• hostname - ro-bucharest.ra4wvpn.com -
• hostname - milkshakemodz.duckdns.org -
• YARA - 0736870c27f76ffe923dbe5aec60c765748c69de -
• hostname - xekush32.chickenkiller.com -
• hostname - indahood.dynapoint.pw -
• hostname - z33k.chickenkiller.com -
• YARA - dc9227e547114816d499cea632988c9c52e35f37 -
• hostname - classiccream.hopto.org -
• hostname - jlux123.no-ip.biz -
• hostname - swyratfr.no-ip.org -
• hostname - hitmefag.hitmefag.cf -
• hostname - hitme.struggle.cf -
• hostname - smithsure92.no-ip.biz -
• hostname - randomlovezs.duckdns.org -
• hostname - destinified.ddns.net -
• YARA - 32bbb6036942987ad4a4d79937af027b46992e0a -
• hostname - windowsaudio.fishdns.com -
• hostname - antisec8899.no-ip.info -
• hostname - zilinxgroup.ddns.net -
• YARA - 7368c603a4edca02123cc5d17ee59120b1aac5f2 -
• hostname - gstatlc.duckdns.org -
• hostname - mshal.mooo.com -
• hostname - crazypks.chickenkiller.com -
• hostname - godsechf.chickenkiller.com -
• domain - javasunsystemapis.ga -
• domain - kurd-paypal.info -
• hostname - donkeykong.dankdns.xyz -
• hostname - tabaninfo.bounceme.net -
• domain - sockestsoft.xyz -
• hostname - topkekmofo.duckdns.org -
• hostname - antisec40401.no-ip.info -
• hostname - redtr.dumb1.com -
• hostname - zido.homepc.it -
• hostname - whowas.strangled.net -
• hostname - antisec8394.no-ip.info -
• hostname - microsoftupdatetool.no-ip.org -
• hostname - faddd331rat.zapto.org -
• hostname - airzwcvzq.nullroute.pw -
• YARA - 6a91c82657e0cdeba780b53544aaa92c99ca7e7a -
• domain - wordmat.pw -
• hostname - mrpooper.freedns.tech -
• hostname - buildcheck.zapto.org -
• domain - andrewsnetwork.co.uk -
• hostname - amoxicillina1.no-ip.biz -
• hostname - conelobriks.hopto.org -
• hostname - uk-hampshire.ra4wvpn.com -
• hostname - coralgroups.no-ip.biz -
• YARA - 4f1352ab889a7954372114aed22431775175c612 -
• hostname - fbiserver.ignorelist.com -
• hostname - amateurz.zapto.org -
• hostname - nn12.chickenkiller.com -
• hostname - ts.shiro.pw -
• hostname - habbahabba.bounceme.net -
• hostname - alrightlad.chickenkiller.com -
• hostname - stalker.fishdns.com -
• hostname - superhackmods.duckdns.org -
• hostname - xvczasiu.freeddns.org -
• hostname - projectk.duckdns.org -
• hostname - deadpixel.securedns.site -
• YARA - 0b5aaeb5a539a31851bab566633566a280ebe0f2 -
• hostname - alexoler.fishdns.com -
• domain - javasunsystemapi.ga -
• hostname - kalashas.no-ip.biz -
• domain - telemetrynetwork.cf -
• hostname - sampledog.freedns.tech -
• YARA - 49cd81b24596a440662af5c296ecc0961ca2511d -
• hostname - dellboy27.eating-organic.net -
• hostname - psyborg.strangled.net -
• hostname - audioadapterplugin.chickenkiller.com -
• hostname - jmcoru.alcatelupd.xyz -
• hostname - watchingj.ddns.net -
• hostname - shots.servebeer.com -
• hostname - 1991668.crabdance.com -

類似Pulses

• Down the H-W0rm Hole with Houdinis RAT (score: 0.77)
• Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks (2014) (score: 0.67)
• RATs, Hackers and Rihanna (score: 0.64)
• DarkComet RAT (score: 0.63)
• Malicious Word document delivers LuminosityLink RAT (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る