Malicious Content Identified and Inserted:

  • IPs – 2301
  • Domains – 3406

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • IOCs that were involved in suspicious scanning activities on domains and hosts.
  • IOCs that were involved in Malspam
  • IOCs that were involved in phishing.
  • Malspam campaigns (not attributed to a specific malware) are distributed through fraud e-mails with the subject, "UPS TRACKING NUMBER FOR SHIPMENT."
  • Kasidet is a malware targeting Point of Sale (POS) devices. It spreads through email attachments and fake updates, with the ability to exfiltrate scraped credit card details and passwords from infected machines.
  • Mirai, a Linux malware targeting IoT systems, is primarily used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog, here.
  • ZeroT is a downloader used to install the PlugX Remote Access Trojan (RAT) and distributed primarily through spear-phishing emails. This malware targets entities in Russia, Belarus and Asia. ZeroT showed up in the summer of 2016, following its use by the Chinese APT group linked with cyber actor TA459.
  • The Terror Exploit Kit is advertised and sold in underground forums (by hacker @666_KingCobra) using various names. (i.e. Blaze, Neptune and Eris) According to experts at Malwarebytes Labs, Terror EK was used in a malvertising campaign distributing Smoke Loader through Internet Explorer, Flash and Silverlight exploits. Additionally, Terror EK was involved in a campaign that distributes Andromeda malware through landing pages.
  • Rig Exploit Kit, discovered in mid-2014, primarily exploits vulnerabilities in Internet Explorer, Java, Adobe Flash and Silverlight.
  • Indicators connected to SteamStealer malware, primarily a gaming platform, is distributed by Steam through malicious files in the platform’s chats. This malware causes financial damage by stealing Steam login credentials.
  • Mole Ransomware is part of the CryptoMix malware family. This malware is distributed through Malspam, primarily seen in USPS fake invoices dated April 2017.
  • OilRig Campaign, named by Palo Alto Networks, has origins stemming from the Persian word "Nafti" (Oily). It was hardcoded into a number of analyzed malware samples, with the latest campaign targeting Israeli organizations in April of 2017. Beforehand, this campaign operated two attack waves against Saudi Arabian organizations in late 2015. This campaign has been seen targeting financial institutions and technology organizations in Saudi Arabia, as well as the defense industry. The malware used in the OilRig Campaign is the Helminth Backdoor Trojan.
  • Smoke Loader is Bot first seen in 2011 and used to download malware. After initial installation, Smoke Loader connects to the Command and Control Server with downloadable plugins.
  • Dridex is a strain of banking malware, leveraging macros in Microsoft Office, to infect systems. Once a computer has been infected, Dridex attackers steal banking credentials and other personal information to access a user’s financial records.
  • The NoTrove Campaign, discovered by RiskIQ, is a malvertising campaign active since 2010. This campaign discloses the traffic originating from clicking fake advertisements to traffic brokers and affiliate programs. This campaign was found to have 78 variants, differing in the type of counterfeit offers (survey, promo, prize, etc.), fake software downloads and various redirections that download PUPs or sites selling non-existent merchandise.
  • Cardinal RAT is a remote access Trojan using macros within Microsoft Excel documents to compile the malware's C# code. Researchers at Palo Alto Networks noted the malware was seen in very limited runs, with the ability to capture screenshots of an infected computer, execute commands, and exfiltrate information to a command and control server.

 Security Blog Roundup:

 New/Updated Targets:


  • TSInbound – ThreatSTOP exclusive. This target contains manually validated IP addresses known to participate in inbound attacks on different networks. (Expert mode)
  • Top Public DNS Servers – This list includes the most popular public DNS servers, such as Google and OpenDNS. Can be used for both Blocking and white-listing. (Expert mode)
  • Microsoft Azure Whitelist – Azure is a Cloud hosting platform provided by Microsoft. This target should only be used if communications with the entire Azure service are required. Otherwise we suggest whitelisting communications with services specific to your company. (Expert Mode)
  • Bedep– Malware family. (Expert mode)
  • Bebloh– Malware family. (Expert mode)
  • Beebone- Malware family. (Expert mode)
  • CoreBOT- Malware family. (Expert mode)
  • Geodo- Malware family. (Expert mode)
  • Ramdo- Malware family. (Expert mode)
  • Matsnu– Malware and Backdoor family. (Expert Mode)
  • Gozi– Malware and Spyware family. (Expert mode)
  • Volatile Cedar– APT tool and malware family. (Expert Mode)
  • Kraken – Botnet. (Expert mode)
  • Pushdo– Botnet. (Expert Mode)
  • Qakbot– Botnet. (Expert mode)
  • HesperBot– Banking Trojan family. (Expert mode)
  • Padcrypt– Ransomware family. (Expert Mode)


  • DNS Tunnel IPs – Added to Expert mode on top of the standard mode target.
  • Botnet Domains – Now includes the relevant botnets and malware family targets mentioned above.
  • Banking Domains - Now includes the HesperBot and Bebloh targets mentioned above.
  • Ransomware Domains – Now includes the PadCryrt target.
  • UNIX Server – Now includes the TSInbound target. (Both standard and expert modes)