Home/APT29/IOCs
IOCs

Indicators for APT29

1,662 indicators · scoped to malware families · back to APT29
Live IOCs from URLhaus, ThreatFox, MalwareBazaar, and abuse.ch SSLBL for malware families this actor uses. All indicators are defanged for safe handling.

Indicators

100 of 1,662
ip:port
101[.]201[.]247[.]234:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
20[.]166[.]18[.]164:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
152[.]136[.]159[.]25:9999
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
218[.]244[.]142[.]4:8888
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
67[.]225[.]255[.]139:8882
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
209[.]59[.]184[.]78:8882
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
121[.]4[.]92[.]72:1111
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]230[.]200[.]254:53
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
ns2[.]jane2010[.]filegear-sg[.]me
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
domain
ns1[.]jane2010[.]filegear-sg[.]me
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
47[.]121[.]197[.]137:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]109[.]23[.]77:4567
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]167[.]177[.]224:7778
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
52[.]220[.]247[.]175:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]128[.]59[.]217:8080
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
bxx2rghe05kng[.]cfc-execute[.]bj[.]baidubce[.]com
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
139[.]224[.]23[.]63:8866
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
52[.]220[.]247[.]175:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
119[.]91[.]254[.]137:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]254[.]218[.]245:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
156[.]239[.]47[.]94:81
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]104[.]248[.]7:8884
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
120[.]48[.]18[.]226:81
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]35[.]214[.]58:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]109[.]202[.]237:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
39[.]102[.]125[.]11:4435
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
195[.]85[.]207[.]253:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]139[.]108[.]161:8192
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]76[.]96[.]68:5555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
111[.]230[.]217[.]36:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
109[.]244[.]130[.]113:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
104[.]168[.]117[.]123:7777
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]143[.]242[.]10:5555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]143[.]242[.]10:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]122[.]47[.]221:8880
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
77[.]91[.]97[.]4:53
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
74[.]211[.]98[.]224:7777
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
74[.]211[.]98[.]224:9999
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
49[.]234[.]199[.]152:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
120[.]48[.]25[.]153:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
83[.]229[.]127[.]46:9999
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]92[.]208[.]27:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
154[.]83[.]12[.]132:53
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]154[.]190[.]128:33060
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
103[.]117[.]120[.]98:5555
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
115[.]191[.]25[.]159:7777
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
156[.]239[.]252[.]191:448
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]76[.]96[.]68:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]35[.]95[.]103:4444
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
182[.]255[.]44[.]96:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
51[.]222[.]87[.]16:433
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
cdn[.]sys-update[.]online
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
165[.]154[.]244[.]77:2562
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
43[.]138[.]39[.]212:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
156[.]245[.]144[.]203:8880
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
156[.]245[.]144[.]203:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
156[.]245[.]144[.]203:4443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
119[.]29[.]117[.]194:801
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
60[.]247[.]206[.]23:7443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
115[.]29[.]231[.]140:8888
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
38[.]147[.]170[.]252:7777
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
domain
aliyun[.]commandandcontrol[.]top
family Cobalt Strike source threatfox
VirusTotalOTXurlscancrt.shSecurityTrailsTalosPulsedive
ip:port
188[.]227[.]14[.]105:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
59[.]110[.]40[.]60:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
23[.]226[.]136[.]169:50051
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
178[.]157[.]59[.]195:8443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
103[.]39[.]79[.]102:7443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
115[.]190[.]250[.]28:5521
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]92[.]169[.]87:80
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
64[.]89[.]161[.]183:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]104[.]159[.]246:18443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
115[.]190[.]53[.]184:666
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
107[.]172[.]217[.]220:12096
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
81[.]68[.]89[.]216:8088
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
111[.]228[.]4[.]54:4455
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
119[.]91[.]54[.]176:50001
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]200[.]193[.]211:8086
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
83[.]229[.]127[.]46:8888
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]72[.]191[.]140:8028
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
118[.]107[.]0[.]254:2002
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
128[.]241[.]229[.]70:6001
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
120[.]77[.]211[.]144:12345
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
45[.]192[.]110[.]197:8088
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
1[.]15[.]171[.]190:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
8[.]141[.]93[.]66:12345
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
118[.]107[.]0[.]254:2003
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
47[.]109[.]45[.]70:12345
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
192[.]3[.]233[.]166:59850
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
1[.]15[.]25[.]148:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]52[.]208[.]143:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
106[.]13[.]137[.]229:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]43[.]2[.]116:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
101[.]133[.]148[.]66:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
115[.]190[.]178[.]249:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
114[.]132[.]150[.]96:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
110[.]40[.]176[.]194:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
120[.]48[.]50[.]33:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
117[.]72[.]214[.]50:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
124[.]223[.]199[.]39:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
ip:port
124[.]221[.]32[.]87:443
family Cobalt Strike source threatfox
VirusTotalAbuseIPDBShodanGreyNoiseOTXCensysTalosPulsedive
Showing 301-400 of 1,662
Prev 4 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin