Home/APT29/IOCs
IOCs

Indicators for APT29

1,662 indicators · scoped to malware families · back to APT29
Live IOCs from URLhaus, ThreatFox, MalwareBazaar, and abuse.ch SSLBL for malware families this actor uses. All indicators are defanged for safe handling.

Indicators

100 of 1,662
ip:port
124[.]220[.]36[.]247:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
124[.]220[.]36[.]247:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
178[.]154[.]254[.]203:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
185[.]89[.]78[.]223:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
124[.]220[.]6[.]158:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
123[.]57[.]208[.]37:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
123[.]57[.]208[.]37:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
113[.]31[.]115[.]231:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
81[.]68[.]216[.]220:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
113[.]31[.]115[.]231:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
81[.]68[.]216[.]220:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
168[.]222[.]97[.]93:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
81[.]68[.]216[.]220:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]75[.]252[.]66:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
103[.]146[.]30[.]121:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
185[.]234[.]157[.]185:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
175[.]178[.]36[.]137:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]75[.]252[.]66:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]252[.]232[.]23:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
81[.]172[.]90[.]197:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]216[.]54[.]73:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]216[.]116[.]64:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
192[.]200[.]220[.]100:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]75[.]252[.]66:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]98[.]107[.]233:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
203[.]195[.]157[.]138:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
182[.]92[.]115[.]48:7777
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
130[.]94[.]14[.]186:5555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]86[.]76[.]154:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
119[.]29[.]112[.]239:8005
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
207[.]56[.]229[.]234:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
206[.]119[.]173[.]149:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]126[.]150[.]253:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
27[.]124[.]19[.]53:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]236[.]91[.]172:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
38[.]14[.]248[.]199:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
38[.]14[.]248[.]199:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]122[.]118[.]104:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
207[.]56[.]229[.]234:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
155[.]138[.]147[.]166:5555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
107[.]173[.]186[.]7:8001
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
123[.]57[.]208[.]37:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
118[.]31[.]62[.]238:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
1[.]117[.]61[.]9:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
ct[.]feliz[.]icu
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
47[.]102[.]184[.]26:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]121[.]117[.]88:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
147[.]78[.]2[.]110:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]121[.]117[.]88:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
113[.]31[.]115[.]231:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]139[.]170[.]200:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
168[.]222[.]97[.]93:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
168[.]222[.]97[.]93:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
161[.]248[.]87[.]10:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
118[.]31[.]62[.]238:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]72[.]168[.]103:50011
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]132[.]156[.]12:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]35[.]102[.]87:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]50[.]184[.]221:10080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
112[.]124[.]71[.]123:55555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
38[.]55[.]124[.]41:16571
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]245[.]28[.]187:4440
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]72[.]198[.]62:9987
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
150[.]158[.]109[.]61:9090
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
112[.]213[.]106[.]53:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
142[.]171[.]172[.]100:17443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
api[.]apifox[.]top
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
39nasm720z98q[.]cfc-execute[.]bj[.]baidubce[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
139[.]226[.]191[.]247:2082
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
139[.]196[.]50[.]117:9930
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]53[.]82[.]117:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
202[.]95[.]18[.]30:53
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
ns1[.]cacheflow[.]top
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
47[.]94[.]168[.]149:9999
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]83[.]254[.]175:1102
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
1364170351-kld29tgkc1[.]ap-guangzhou[.]tencentscf[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
45[.]202[.]249[.]88:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
45[.]202[.]249[.]88:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
49[.]7[.]54[.]204:8901
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]14[.]116[.]17:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]33[.]225[.]32:8011
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
45[.]207[.]192[.]190:30078
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
207[.]56[.]226[.]75:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]72[.]168[.]103:16337
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
static[.]slbc7890[.]shop
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
68[.]64[.]178[.]130:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
39[.]101[.]78[.]48:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
124[.]223[.]90[.]150:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
103[.]53[.]81[.]232:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
103[.]53[.]81[.]232:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
1[.]15[.]100[.]187:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
www[.]pronhub[.]shop
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
update[.]javashell[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
1325813086-kvn4jlpgeu[.]ap-shanghai[.]tencentscf[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
1364170351-ivarm6apjz[.]ap-guangzhou[.]tencentscf[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
4176rbz8vepn6[.]cfc-execute[.]bj[.]baidubce[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
www[.]cement-chemistry[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
8[.]211[.]130[.]16:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
172[.]245[.]156[.]179:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
webshareclouds[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
Showing 101-200 of 1,662
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin