Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

Description

network

104.194.215[.]88

Observed being used for SSH tunneling

network

13.60.50[.]172

Observed being used for SSH tunneling

network

167.172.137[.]208

Observed being used for SSH tunneling

network

34.18.42[.]26

Observed being used for SSH tunneling

network

4.188.75[.]206

Observed being used for SSH tunneling

network

4.240.113[.]27

Observed being used for SSH tunneling

network

40.119.176[.]233

Observed being used for SSH tunneling

network

46.31.115[.]92

Observed being used for SSH tunneling

network

politicalanorak[.]com

Observed being used for SSH tunneling

network

ac-connection-status105.azurewebsites[.]net

GHOSTLINE

network

acc-cloud-connection.azurewebsites[.]net

GHOSTLINE

network

active-az-check-status45.azurewebsites[.]net

POLLBLEND

network

active-az-check-status675.azurewebsites[.]net

POLLBLEND

network

active-az-status45.azurewebsites[.]net

POLLBLEND

network

active-az-status795.azurewebsites[.]net

POLLBLEND

network

active-internal-log65.azurewebsites[.]net

POLLBLEND

network

active-internal-logs.azurewebsites[.]net

POLLBLEND

network

active-intranet-logs.azurewebsites[.]net

POLLBLEND

network

airbus.usa-careers[.]com

Phishing domain for initial access

network

airlinecontrolsite.uaenorth.cloudapp.azure[.]com

DEEPROOT

network

airlinecontrolsite.westus3.cloudapp.azure[.]com

DEEPROOT

network

airplaneserviceticketings[.]com

MINIBIKE

network

airseatregister.eastus.cloudapp.azure[.]com

DEEPROOT

network

airseatsregister.qatarcentral.cloudapp.azure[.]com

DEEPROOT

network

airseatsregistering.qatarcentral.cloudapp.azure[.]com

DEEPROOT

network

airtravellog[.]com

TWOSTROKE

network

automationagencybusiness.azurewebsites[.]net

TWOSTROKE

network

automationagencybusiness[.]com

TWOSTROKE

network

browsercheckap.azurewebsites[.]net

MINIBIKE

network

codesparkle.eastus.cloudapp.azure[.]com

TWOSTROKE

network

connect-acc-492.azurewebsites[.]net

POLLBLEND

network

connect-acl-492.azurewebsites[.]net

POLLBLEND

network

customerlistchange.eastus.cloudapp.azure[.]com

LIGHTRAIL

network

developercodepro.azurewebsites[.]net

TWOSTROKE

network

developercodevista.azurewebsites[.]net

TWOSTROKE

network

dreamtiniventures.azurewebsites[.]net

TWOSTROKE

network

fdtsprobusinesssolutions.azurewebsites[.]net

TWOSTROKE

network

fdtsprobusinesssolutions[.]com

TWOSTROKE

network

fdtsprobusinesssolutions.eastus.cloudapp.azure[.]com

TWOSTROKE

network

fdtsprobusinesssolutions.northeurope.cloudapp.azure[.]com

TWOSTROKE

network

forcecodestore[.]com

TWOSTROKE

network

hserbhh43.westus3.cloudapp.azure[.]com

Observed being used for SSH tunneling

network

infrasync-ac372.azurewebsites[.]net

POLLBLEND

network

intra-az-check-status45.azurewebsites[.]net

POLLBLEND

network

intra-az-check-status675.azurewebsites[.]net

POLLBLEND

network

intra-az-status45.azurewebsites[.]net

POLLBLEND

network

intra-az-status795.azurewebsites[.]net

POLLBLEND

network

masterflexiblecloud.azurewebsites[.]net

TWOSTROKE

network

mso-internal-log65.azurewebsites[.]net

POLLBLEND

network

mso-internal-logs.azurewebsites[.]net

POLLBLEND

network

mso-intranet-logs.azurewebsites[.]net

POLLBLEND

network

mydocs.qatarcentral.cloudapp.azure[.]com

Phishing domain for lateral movement

network

nx425-win4945.azurewebsites[.]net

POLLBLEND

network

nx4542-win4957.azurewebsites[.]net

POLLBLEND

network

nxlog-crash-1567.azurewebsites[.]net

POLLBLEND

network

nxlog-win-1567.azurewebsites[.]net

POLLBLEND

network

nxversion-win-1567.azurewebsites[.]net

POLLBLEND

network

nxversion-win32-1127.azurewebsites[.]net

POLLBLEND

network

overqatfa.northeurope.cloudapp.azure[.]com

Observed being used for SSH tunneling

network

queuetestapplication.azurewebsites[.]net

MINIBIKE

network

skychain13424.azurewebsites[.]net

MINIBIKE

network

skychain41334.northeurope.cloudapp.azure[.]com

MINIBIKE

network

skychains42745.eastus.cloudapp.azure[.]com

MINIBIKE

network

skyticketgrant.azurewebsites[.]net

MINIBIKE

network

snare-core.azurewebsites[.]net

POLLBLEND

network

storageboxcloud.northeurope.cloudapp.azure[.]com

TWOSTROKE

network

storagewiz.co.azurewebsites[.]net

TWOSTROKE

network

swiftcode.eastus.cloudapp.azure[.]com

TWOSTROKE

network

swifttiniventures.azurewebsites[.]net

TWOSTROKE

network

terratechworld.eastus.cloudapp.azure[.]com

TWOSTROKE

network

thecloudappbox.azurewebsites[.]net

TWOSTROKE

network

thestorageboxcloud.northeurope.cloudapp.azure[.]com

TWOSTROKE

network

thetacticstore[.]com

TWOSTROKE

network

thevaultapp.westus3.cloudapp.azure[.]com

TWOSTROKE

network

thevaultspace.eastus.cloudapp.azure[.]com

TWOSTROKE

network

tini-ventures[.]com

TWOSTROKE

network

vcphone-ms.azurewebsites[.]net

POLLBLEND

network

vcs-news[.]com

Observed being used for SSH tunneling

network

vm-ticket-svc.azurewebsites[.]net

POLLBLEND

network

vm-tools-svc.azurewebsites[.]net

POLLBLEND

network

vmware-health-ms.azurewebsites[.]net

POLLBLEND












YARA Rules


import "pe" rule M_APT_Utility_DCSYNCER_SLICK_1 { meta: author = "Google Threat Intelligence Group (GTIG)" md5 = "10f16991665df69d1ccd5187e027cf3d" strings: $ = { 48 89 84 24 ?? 01 00 00 C7 84 24 ?? 01 00 00 30 80 28 00 C7 84 24 ?? 01 00 00 E8 03 00 00 48 C7 84 24 ?? 01 00 00 00 00 A0 00 BA ?? 00 00 00 8D 4A ?? FF 15 ?? ?? 01 00 48 89 84 24 ?? 01 00 00 C7 00 01 00 00 00 48 8B 84 24 ?? 01 00 00 44 89 ?? 04 48 8B 84 24 ?? 01 00 00 C7 40 08 ?? 00 00 00 41 8B ?? } $ = "\\LOG.txt" ascii wide $ = "%ws_%d:%d:" ascii wide fullword $ = "%ws:%d:" ascii wide fullword $ = "::::" ascii wide fullword $ = "%ws_%d:%d::" ascii wide fullword $ = "%ws:%d::" ascii wide fullword condition: pe.is_pe and all of them }

import "pe" rule M_APT_Utility_CRASHPAD_1 { meta: author = "Google Threat Intelligence Group (GTIG)" md5 = "b2bd275f97cb95c7399065b57f90bb6c" strings: $ = "[-] Loo ror: %u" ascii fullword $ = "[-] Adj r: %u" ascii fullword $ = "[-] Th ge. " ascii fullword $ = "[+] O s!" ascii fullword $ = "[-] O C: %i" ascii fullword $ = "[-] O E: %i" ascii fullword $ = "[+] Op cess!" ascii fullword $ = "[-] Op Code: %i" ascii fullword $ = "[-] O Error: %i" ascii fullword $ = "[+] Im su!" ascii fullword $ = "[+] R" ascii fullword $ = "[-] Impe Code: %i" ascii fullword $ = "[-] Imo: %i" ascii fullword $ = "[+] Du success!" ascii fullword $ = "[-] Du Code: %i" ascii fullword $ = "[-] Du Error: %i" ascii fullword $ = "[+] Dec Suc." ascii fullword $ = "%02X" ascii fullword $ = "Decryption failed" ascii fullword $ = "config.txt" $ = "crash.log" $ = "[+] e wt!" ascii fullword $ = "[+] p %d!" ascii fullword $ = "[+] e!" ascii fullword condition: pe.is_pe and 15 of them }

Google Security Operations Detections


Google SecOps customers receive robust detection for UNC1549 TTPs through curated threat intelligence from Mandiant and Google Threat Intelligence. This frontline intelligence is operationalized within the platform as custom detection signatures and advanced YARA-L rules.



Published: 2025-11-17T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us