Trusted Design

Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey

概要

A series of middleboxes on Türk Telekom’s network were being used to redirect hundreds of users attempting to download certain legitimate programs to versions of those programs bundled with spyware. The spyware we found bundled by operators was similar to that used in the StrongPity APT attacks. Before switching to the StrongPity spyware, the operators of the Turkey injection used the FinFisher “lawful intercept” spyware, which FinFisher asserts is sold only to government entities.

Created: 2026-02-23

Indicators

• domain - cdn2-sys-upd.com -
• FileHash-MD5 - 20755b98d7c094747b75b157413e3422 -
• FileHash-MD5 - 5c3f0dcf4aaa699b50154aa245923c86 -
• FileHash-MD5 - 8c8eb5cfc5642a773c5f2b5f59148aa3 -
• FileHash-MD5 - a070fd2cce434a6f0b0d0fa6d3278d22 -
• domain - redirection.bid -
• FileHash-MD5 - d7ec065cc3f563928504f80692578d2f -
• FileHash-MD5 - 43b39fd4ddc386092372da19f6278c25 -
• hostname - system.documentations.live -
• FileHash-MD5 - 58239ea5747d3375278ce7c04db22c1b -
• hostname - download.downloadering.co -
• FileHash-MD5 - 449ba12127133ecd0440a558b083468c -
• FileHash-MD5 - 001316808aa7108b467e8ecc06139c2e -
• FileHash-MD5 - 6ce947913231bd968c86a2737bae7bba -
• hostname - document.downloadingsystem.com -
• hostname - downloading.internetdownloading.co -
• FileHash-MD5 - 6a442a610c047a7a306a12f423978bfb -
• hostname - internet.document-management.today -
• FileHash-MD5 - 08b8b4787f3ce90c6c1483cc127b1cdc -
• domain - upd-ms3-app-state.com -
• FileHash-MD5 - 9b0de56f7f862db73e223f41099fc74c -
• hostname - epoch.wind-files.today -
• hostname - computing.downloaders.today -
• hostname - internet.downloadingdocuments.com -
• hostname - storage.computingdownloads.life -
• hostname - download.downloading.shop -
• domain - ms-cdn-88.com -
• hostname - download.syriantelecommunications.co -
• FileHash-MD5 - 7ad8ad340c084f8185e2bb18cbfde891 -
• FileHash-MD5 - f36e67109ae368c9db109d0a41b5817c -
• domain - and-security-state.com -
• domain - updserv-east-cdn3.com -
• FileHash-MD5 - 461446151be0033a668782c2d7ba58cb -
• hostname - epoch.englishdownloaders.today -
• FileHash-MD5 - 8fea3de31a58415c3fec2e6dd4095575 -
• hostname - bombinate.winload.info -
• FileHash-MD5 - 89180820b47bb11ccf0c8505371e98d1 -
• FileHash-MD5 - 6491df10c766be9c487fb9495d04df6e -
• hostname - solitude.filedownloads.online -
• FileHash-MD5 - a5ae6e0d74052d4f889f2538fdd7cb9b -
• FileHash-MD5 - 205a5502ff0da4a471c4dad0e06c6c57 -
• FileHash-MD5 - be8a344487bcfea66de8e0f0f14d869e -
• FileHash-MD5 - 32bc51088953377d601c6b27ca7484a9 -
• FileHash-MD5 - f344da38958dbc730ddebc10660cd451 -
• FileHash-MD5 - e80d8a0c35133f7485d8e87ade903919 -
• FileHash-SHA256 - 57da6fa244402a7fe5d4f8f8abf2acbc08db3817faee93dd8ccdc8a2a3554245 -
• FileHash-MD5 - be6f2a03dfddbaf1166854730961d13c -
• FileHash-MD5 - 4fe4094302c26e7ea2c58f5ca9f7f993 -
• hostname - system.filedownloaders.com -
• FileHash-MD5 - 90373539c60529153d0d6b0cc857e845 -
• hostname - solitude.file-download.today -
• FileHash-MD5 - 8bb2ba6f1cfa3bd99146688cd1e76bb0 -
• FileHash-SHA256 - 0c61703c325a71091af6c6676fb5da22a69cfc0327a9d2acc06d180dc6e4d3dc -
• FileHash-MD5 - fa90508007b94a4dbfeb8b48d5443ec8 -
• FileHash-MD5 - e436e849d9496ef3f651c1904786c78f -
• FileHash-MD5 - 56bc314bc0d4a0a230a4de2bf978b5ae -
• hostname - epoch.uploaders.online -
• FileHash-SHA256 - 462e85023952d23b74d697911653604b40497424e7a6fe505366addae6c375f7 -
• FileHash-MD5 - 7fd98d6bb1e9d6bcf2e1984e812c1e46 -
• FileHash-MD5 - df0045bd4168893922480f7ccb29860a -
• domain - cdn6-upd-state-app.com -
• FileHash-MD5 - 08d971f5f4707ae6ea56ed2f243c38b7 -
• FileHash-MD5 - 40383bee9846ecbd78581402e3379051 -
• domain - cdn-upd-ms6.com -
• FileHash-MD5 - 3632fb080545d3518d57320466f96cb3 -
• FileHash-MD5 - 3729531c71163cddcded7e70c02a3004 -
• hostname - window.processingdownloads.today -

類似Pulses

• FinFisher surveillance campaigns: Are internet providers involved? (score: 0.67)
• StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved? (score: 0.66)
• FinFisher campaigns using infamous spyware FinSpy, is in the wind (score: 0.62)
• Defending the White Elephant (score: 0.62)
• Compromised Turkish Government Web site leads to malware (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る