DarkSide ransomware has been around since August 2020, but only hit the headlines when the cyber gang behind it caused the halt pipeline operations by the Colonial Pipeline Company. They breached the company’s network, forcing Colonial to stop pipeline operations and eventually to pay a ransom of $5 Million.

After the Colonial Pipeline breach, as well as a number of other successful attacks earning them at least $90 Million, members of the DarkSide group supposedly went their separate ways. But once a malicious infrastructure, always a malicious infrastructure (in most cases anyway). ThreatSTOP is constantly monitoring DarkSide-related infrastructure, and our team has seen constant activity on DarkSide domains.

Earlier this month, we posted about a wave of blocked communication attempts between devices protected by ThreatSTOP and the domains fotoeuropa[.]ro and catsdegree[.]com. Since then, we saw more waves of traffic attempts from four other domains also related to DarkSide - lagrom[.]com, gosleepaddict[.]com, securebestapp20[.]com, kgtwiakkdooplnihvali[.]com. Between these six domains, we have seen an accumulated 16+ Million blocked connection attempts in our customer logs. All of these domains are active in our threat targets, which include aggregated threat intelligence from numerous sources.

darkside_domains - ransomware IOCs

Image: ThreatSTOP CheckIOC


We recommend blocking all inbound AND outbound traffic to IOCs related to DarkSide (see list below). If the attackers somehow manage to breach your network don't let their malware exfiltrate your data. Blocking outbound traffic is a critical layer of defense against cyber attacks.

DarkSide Infrastructure Domains

athaliaoriginals[.]com ironnetworks[.]xyz
auth[.]athaliaoriginals[.]com kgtwiakkdooplnihvali[.]com
baa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com koliz[.]xyz
caa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com lagrom[.]com
iaa[.]stage[.]8886370[.]pop[.]athaliaoriginals[.]com los-web[.]xyz
imap[.]athaliaoriginals[.]com openmsdn[.]xyz
baroquetees[.]com rumahsia[.]com
catsdegree[.]com securebestapp20[.]com
ctxinit[.]azureedge[.]net skolibri13[.]azureedge[.]net
darksidedxcftmqa[.]onion sol-doc[.]xyz
darksidfqzcuhtk2[.]onion yeeterracing[.]com
fotoeuropa[.]ro 7cats[.]ch


DarkSide Infrastructure IPs

104[.]193[.]252[.]197 185[.]203[.]116[.]7 23[.]95[.]85[.]176
108[.]62[.]118[.]232 185[.]203[.]117[.]159 45[.]14[.]12[.]108
159[.]65[.]225[.]72 185[.]243[.]214[.]107 45[.]147[.]197[.]220
162[.]244[.]34[.]152 185[.]92[.]151[.]150 45[.]61[.]138[.]171
162[.]244[.]81[.]253 192[.]3[.]141[.]157 45[.]84[.]0[.]127
176[.]123[.]2[.]216 198[.]54[.]117[.]197 46[.]166[.]128[.]144
185[.]105[.]109[.]19 198[.]54[.]117[.]199 51[.]210[.]138[.]71
185[.]180[.]197[.]86 212[.]109[.]221[.]205 80[.]209[.]241[.]4
185[.]203[.]116[.]28 213[.]252[.]247[.]18 81[.]91[.]177[.]54


Protect against this threat by adding the indicators above to your network perimeter access and protective DNS rules. Preventing communication with these IP addresses and domains, and identifying the machines needing remediation will prevent damage and losses from this ransomware. ThreatSTOP automates this for companies and security teams like yours.

For more information about the DarkSide gang, see our earlier blog post.

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works? 

Get a Demo