Trusted Design

Two Years of Pawn Storm

概要

By Feike Hacquebord at Trend Micro. Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in recent years. The group’s activities show that foreign and domestic espionage and influence on geopolitics are the group’s main motives, and not financial gain. Its main targets are armed forces, the defense industry, news media, politicians, and dissidents. We can trace activities of Pawn Storm back to 20041 , and before our initial report in 20142 there wasn’t much published about this actor group. However, since then we have released more than a dozen detailed posts on Pawn Storm. This new report is an updated dissection of the group’s attacks and methodologies—something to help organizations gain a more comprehensive and current view of these processes and what can be done to defend against them.

Created: 2026-02-23

Indicators

• URL - http://account.password-google.com/EditPasswd?e=orysiaua@gmail.com&n=T3J5c2lh&fn=T3J5c2lhK0x1dHNldnljaA== -
• hostname - mail.kuwaitarmy.gov-kw.com -
• domain - webmail-cdu.de -
• hostname - eposta.basbakanlik.qov.web.tr -
• hostname - accounts.g00qle.com -
• URL - https://mail.academl.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.academi.com%2fowa%2f&tids=lkdmfvlkd -
• hostname - webmail.mfa.qov.ae -
• hostname - mail.university-tartu.info -
• domain - anadolu-ajansi.com -
• hostname - inside.wada-arna.org -
• domain - sset-aljazeera.net -
• domain - login-osce.org -
• hostname - mail.wada-awa.org -
• URL - https://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount -
• hostname - email.mfa.qov.gs -
• URL - http://tas-cass.org/wpmedia.php?q=653g3g3446g4g4342 -
• hostname - mail.g0v.me -
• hostname - web.mailmil.lv -
• domain - fkit-mil.dk -
• IPv4 - 193.169.244.35 -
• IPv4 - 185.82.202.102 -
• URL - http://account.password-google.com/EditPasswd?e=example@gmail.com&n=&fn= -
• IPv4 - 87.121.52.145 -
• hostname - mail.mod.qov.af -
• hostname - login.accoounts-google.com -
• domain - mail-skupstina.me -
• hostname - mail.academl.com -
• domain - account-aljazeera.net -
• hostname - mod.qov.al -
• domain - onedrive-en-marche.fr -
• hostname - mail.arnf.bg -
• URL - http://mail.academl.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.academi.com/owa/&tids=lkdmfvlkd -
• domain - support-cdu.de -
• hostname - vpn.onderzoekraad.nl -
• domain - dansa.bg -
• domain - kasapp.de -
• domain - mail-isea.ru -
• hostname - mail.hm.qov.hu -
• domain - webmail-mil.gr -
• hostname - webmail.mofa.qov.ae -
• domain - set121.com -
• hostname - account.password-google.com -
• hostname - mail.anadoluajansi.web.tr -
• URL - http://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount -
• domain - mail-hurriyet.com -
• domain - tas-cass.org -
• hostname - mail.bostondynamlcs.com -
• hostname - mail.byegm.web.tr -
• domain - mail-gov.me -
• domain - actblues.com -
• hostname - mail.mofa.g0v.qa -
• hostname - security.service-facebook.com -
• hostname - link.candybober.info -
• hostname - sftp.onderzoekraad.nl -
• hostname - mail.fach.rnil.cl -
• hostname - webmail.exerclto.pt -
• hostname - myaccount.google.comsecuritysettingpage.gq -
• URL - http://poczta.mon.q0v.pl/auth/expiredpassword.aspx?sid=JGVjVXJlcEBSQG1FdEVy -
• hostname - webmail.westinqhousenuclear.com -
• hostname - url.googlesetting.com -
• domain - webmail-mil.dk -
• domain - webmail-saic.com -
• hostname - mail.dca.qov.my -
• domain - ssset-aljazeera.net -
• hostname - mail.armf.bg.message-id8665213.tk -
• domain - exua.email -
• domain - mobile-sanoma.net -
• hostname - www.actblues.com -
• domain - sset-aljazeera.com -
• domain - mailmil.ae -
• domain - privacy-yahoo.com -
• domain - mailpho.com -
• hostname - mail.rsaf.qov.sa.com -
• domain - posta-hurriyet.com -
• hostname - e-posta.tbmm.qov.web.tr -
• IPv4 - 46.183.217.74 -
• hostname - e-post.byegm.web.tr -
• domain - mail-navy.ro -
• URL - http://poczta.mon.q0v.pl/owa/auth/expiredpassword.aspx?sid=JGVjVXJlcEBSQG1FdEVy -
• hostname - secure.actblues.com -
• domain - mail-aljazeera.net -
• domain - fortele.ro -
• hostname - poczta.mon.q0v.pl -
• hostname - mail.mod.qov.es -
• URL - http://help-yahoo-service.com/pw/reset.php -
• hostname - mail.moda.qov.sa.com -
• hostname - mail.rnil.am -
• domain - webmail-hurriyet.com -
• IPv4 - 80.255.3.94 -
• domain - mail-pims.org -
• hostname - poczta.mon-gov.pl -
• domain - webmail-mfa.am -
• URL - http://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount&hl=3Den&sarp=3Dhttps://mail.google.com/mail/&docid=amVmZnJleS5maXNjaEBnbWFpbC5jb20=&refer=SmVmZnJleStGaXNjaGVy&tel=1 -
• hostname - myaccount.google.comchangepasswordmyaccountidx8jxcn4ufdmncudd.gq -
• IPv4 - 46.166.162.90 -

類似Pulses

• The Spy Kittens Are Back: Rocket Kitten 2 (score: 0.60)
• Operation Armageddon (score: 0.59)
• Operation Iron Tiger (score: 0.57)
• PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINA’S UNIT 78020 (score: 0.57)
• Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal (score: 0.56)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る