Bonjour #IcedID #BackConnect!

We've spotted a new C2 server being set up on:

5.196.196.252 (🇫🇷)

Expect to see this IP in infection chains in the coming days / hours.

#Recon 👀

cc @netresec

January's #OST (Offensive Security Tool) snapshot 📊. The numbers have generally remained the same since December.

We've added #Gophish to our tracking as another tool which we've seen growing in prominence during recent months.

Adding to this SentinelLabs research:

https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/

The backend infra~ for this group appears to be located in Russia 😲

Target info also hosted on 87.121.52.9 🇧🇬; same URL path as previously '/client/get_targets'... known C2s are mirrors?

Attack infra~ largely hosted at Stark Industries 🇬🇧