# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: scattered spider, unc3944, roasted oktapus, scatter swine, octo tempest, muddled libra, aa24-241a, pay2key, fox kitten, pioneer kitten, unc757, parisite, rubidium, lemon sandstorm

# Reference: https://blog.group-ib.com/0ktapus
# Reference: https://otx.alienvault.com/pulse/6307925a7f9aa39ee9c66d3b
# Reference: https://www.virustotal.com/gui/ip-address/45.32.212.77/relations

activecampaign-okta.com
alorica-vpn.com
arise-okta.com
at-uid.com
atento-help.com
att-citrix.com
att-citrix.net
att-ctx.com
att-id.net
att-mfa.com
att-opus.net
att-rsa.com
att-sso.com
att-sso.net
att-support.org
att-uid.co
att-uid.com
att-uid.net
att-vmware.com
att-vpn.com
att-vpn.org
bandwidth-okta.com
bestbuy-vpn.com
binance-okta.com
box-okta.org
boxokta.com
cb-okta.com
cb-okta.net
cgslnc-okta.com
cloudflare-okta.com
coin-base-okta.com
concentrix-sso.com
concentrixhelp.com
concentrlx.com
conexusonline.com
corp-att.net
customer-internal.com
epicgames-okta.com
epicgames-vpn.com
evernote-onelogin.com
hubspot-sso.com
infosys-vpn.com
intercom-vpn.com
internai-customer.io
iqor-duo.com
iqor-duo.net
iqor-help.com
iqor-help.net
iqor-helpdesk.com
iqor-portal.com
iqor-sso.com
iqor-sso.net
iqor-tmobile.com
klaviyo-sso.com
kucoin-pin.com
kucoin-pin.net
kucoin-sso.com
kucoin-sso.net
kucoinpin.com
kucoinpin.net
loginxarth.tv
maiichlmp.com
mailchimp-help.com
mailchimp-okta.com
mailchimp-sso.com
mailgun-okta.com
manpowergroup-sso.com
mcsupport-okta.com
medailia-okta.com
metropcs-edge.net
microsoft-sso.net
mlcrosoft.cloud
mlcrosoft.info
mytpusa.com
mytpusa.net
okta-drop.com
okta-hubspot.com
okta-oath.com
okta-riotgames.com
okta-sso.net
okta-tmo.org
okta-tmobiie.net
okta-tmobile.org
one-login.co
opus-att.com
ouryahoo-okta.com
ouryahoo-okta.net
ouryahoo-okta.org
ouryahooinc-okta.com
quaifon.com
quaifone.com
qualfon-sso.com
riotgames-okta.com
riotgames-vpn.com
riotgames-vpn.net
rogers-help.net
rogers-rci.com
rogers-rci.net
rogers-sso.com
rogers-sso.net
rogers-ssp.com
sendgrid-okta.org
sinch-sso.com
sitel-help.com
sitel-sso.com
sitel-vpn.net
slack-mailchimp.com
snap-okta.com
snap-okta.net
sprint-idg.net
squarespacehr.com
startek-vpn.com
sutherlandglobal-vpn.com
sykes-help.com
sykes-sso.com
sykes-vpn.com
t-mobiie.co
t-mobiie.net
t-mobiie.org
t-mobile-okta.com
t-mobile-okta.net
t-mobile-okta.org
t-mobile-okta.us
t-mobile-sso.net
t-mobilers.com
t-moblie-okta.com
t-moblie.help
t-moblier.org
t-moblle.org
taskus-sso.com
taskus-vpn.com
techmahindra-sso.com
teleperformance-help.com
teleperformance-sso.com
teleperformance-usa.net
teleperformanceusa-sso.com
telus-sso.com
tmo-okta.com
tmo-sso.com
tmo-sso.net
tmobie.net
tmobile-okta.com
tmobile-okta.net
tmobiler.net
tmoble.net
tmoblie.net
tmoblle.co
tmoblle.net
tmoblle.org
tp-update.com
tp-usa.net
tpusa-citrix.com
transcom-help.com
transcom-sso.com
ttec-help.com
ttec-sso.com
ttec-vpn.com
ttecvpn.com
twiiio-okta.net
twiiio-sso.com
twiiio.net
twiiio.org
twilio-help.com
twilio-okta.com
twilio-sso.com
twit-vpn.com
twitter-okta.com
twlilo.net
uid-att.com
uscc-hr.com
verizon-sso.net
vzw-corp.net
vzwcorp.co
okta.tmobiie.net

# Reference: https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/

activecampaign-hr.com
activecampaignhr.com
activesso.com
actlvecampaign.net
aflac-hr.com
allstate-hr.com
ally-hr.com
amica-hr.com
applesso.com
assurionsso.net
asurion-idp.com
asurionsso.com
athene-usa.com
bbt-hr.com
bbt-work.com
bbtcorp.net
bbtemps.com
bbthour.com
bbtplus.com
bbtvpn.com
bell-hr.com
block-hr.com
block-sso.com
bn-sso.com
cashsso.com
cellularhr.com
cellularsaies.com
cellularsso.com
cgsinchr.com
charter-vpn.com
chartervpn.com
cinfin-hr.com
clicksend-staging.com
cofelyvision.com
connect-asurion.net
connect-cox.com
connect-sso.com
corp-cox.com
corp-foundever.com
corporate-ally.com
corporate-huntington.com
corporate-pnc.com
costsso.com
desksso.com
doordash-support.com
eclerx-sso.com
fidelitysso.com
fireblocks-sso.com
five9-hr.com
foundever-sso.com
freshdesksso.com
freshworks-sso.net
freshworksso.com
gemini-sso.com
gitlabhr.com
gitlabsso.com
grubhub-support.com
grubhubsso.com
hanover-hr.com
hr-intercom.com
hubsso.net
ibexgiobal.com
iliad-sso.com
infobbt.com
intercom-hr.com
intercomsso.net
kemper-support.com
klaviyo-hr.com
klaviyocorp.net
klavlyo.com
linkedinsso.com
login.suniife.com
mercury-hr.com
mutualofomaha-hr.com
my-tsl.com
my-tsl.net
my-twilio.com
myworkspaceinfo.com
newyorklifehr.com
nfp-hr.com
on-sinch.com
orange-sso.com
podium-hr.com
podiumsso.com
postmarksso.com
prntsrc.net
rbx-hr.com
rbxhr.net
realogy-hr.com
recurlysso.com
roblox-hrs.com
sec-sso.net
securian-hr.com
sharing-folders.com
sinchdev.com
singtei.net
square-sso.com
squarespace-hr.com
ssopodium.com
ssotelnyx.com
stargate-sso.com
supporthub-iqor.com
synchronyfinanciai.com
teiekom.net
telesignhr.com
telnyx-sso.com
telnyxsso.com
thrivent-hr.com
transamerica-hr.com
truecorphr.net
trustsso.com
unum-hr.com
unumhr.com
uscchr.com
usccplus.com
uscell.net
uscellular-hr.com
uscellular-sso.com
uscellularhr.com
victrasso.com
vz-hr.com
vzapps-vzn.com
walmartsso.com
walmartworkspace.com
workatbbt.com
yourbbt.com
zen-sso.com
zendesklt.com

# Reference: https://x.com/k3yp0d/status/1828903531664855489
# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
# Reference: https://app.validin.com/detail?find=45.76.65.42&type=ip4&ref_id=725dc1eb270#tab=resolutions
# Reference: https://www.virustotal.com/gui/ip-address/206.71.148.78/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.77/relations
# Reference: https://www.virustotal.com/gui/ip-address/78.141.238.182/relations

api.gupdate.net
app-api.team.beta.btest.cloud
app.team.beta.btest.cloud
beta.btest.cloud
btest.cloud
cloud.sophos.one
forticloud.online
fortigate.forticloud.online
git-lab.net
githubapp.net
glthub.ddns.net
gupdate.net
hostmaster.git-lab.net
login.forticloud.online
sophos.one

# Reference: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

authenticate-bt.com
creditkarma-help.com
ibexglobai.com
revolut-ticket.com
servicenow-help.com
login.five9-hr.com
login.uscc-hr.com

# Reference: https://x.com/ValidinLLC/status/1835644171459117398
# Reference: https://www.validin.com/blog/coralling-scattered-spider-with-dns-history/

expediagroup-servicenow.com
freshworks-hr.com
okta-247.com
pfchangs-support.com
servicenow-hrblock.com
247-inc.okta-247.com
account.freshworks-hr.com
account.pfchangs-support.com
account.servicenow-hrblock.com
login.freshworks-hr.com
login.okta-247.com
login.pfchangs-support.com
login.servicenow-hrblock.com

# Reference: https://x.com/TLP_R3D/status/1836737521260109998

acwa-internal.com
applerevoke.com
binance-us-okta.com
coinbase-okta.com
consensys-okta.com
eu-apple.center
livechat-salesforce.com
mcointernal-okta.com
stargate-okta.com

# Reference: https://x.com/t43cr0wl3r/status/1836191001758646386
# Reference: https://pastebin.com/svE6Rz0N
# Reference: https://urlscan.io/search/#filename%3A%22WebResource.axd%22%20AND%20filename%3A%22MsAjaxJs%22%20AND%20filename%3A%22mdb.min.js%22

airtel-servicenow.com
alorica-cms.net
alorica-servicenow.net
alticeusa-helpdesk.com
asurioninc.net
atlassian-helpdesk.com
att-access.com
att-cso.com
att-login.net
att-portal.com
att-uid.org
attuid.net
attuid.org
beazley-sso.com
binance-sso.com
bnymellon-gateway.com
bnymellon-inc.com
bnymellon-internal.com
boxsso.com
cb-servicedesk.com
centerfieid.com
cgi-sso.com
channelportal-helpdesk.com
cms-dashboard.alorica.com
cognizant-sso.com
coinbase-sso.com
com-concentrix-postcv.online
comcast-schedule.com
comcast-schedules.com
comcast360.com
comcastschedule.com
concentrix-servicedesk.com
conduent-servicenow.com
corp-foundever.net
corpworkday.com
coxsso.com
cricket-sso.com
cricketwireiess.co
cricketwlreless.com
ctl-help.com
deiwarenorth.com
discord-sso.com
dropbox-corp.com
dxc-hr.com
ea-helpdesk.com
einstein-360.org
einstein360.net
einstein360.org
epic-servicedesk.com
evolution-sso.com
faneuli.com
fico-servicenow.com
fossil-sso.com
fox-internal.com
fox-sso.com
ibexsso.com
icare-sprint.com
icaresso.com
ienergizer-incidents.net
infocision.net
infosys-servicenow.com
infosys-servicenow.net
infosys-sso.com
infosys-sso.net
intuit-sso.com
jacksonhewitt-service.com
loreal-servicenow.com
loreal-sso.net
lowes-helpdesk.com
lowes-sso.com
macys-servicenow.com
macys-servicenow.net
macys-sso.com
macys-sso.net
mcolnteral.com
mod-sso.com
modsquad-sso.com
mongosso.com
msauth-setup.com
nuance-helpdesk.com
o2sso.com
oath-helpdesk.com
okta.cellularsaies.com
onetouchdlrect.net
onetouchsso.com
pacificlife-sso.net
paloaltonetworks-helpdesk.com
ping.taskus-sso.com
pldt-servicenow.net
preventphishing.net
quaifone.net
rbx-corp.com
rbx-servicedesk.com
recuriy.net
robinhood-servicedesk.com
rogers-helpdesk.net
servicenow-conduent.com
servicenow-ibex.com
servicenow-infosysapps.com
servicenow-sso.com
shopify-helpdesk.com
simpleidentity.help
singtel-corp.com
snapchat-sso.com
sprint-sso.net
sprlnt-sso.net
sprlnt.net
sprlnt.org
sprlntsso.com
sso-att.net
sso-sprint.com
sso-sprlnt.com
sso.ibexgiobal.com
ssoatt.com
ssorogers.com
ssotmo.com
stargatesso.com
sutheriandgiobal.com
sykes-agents.com
sykes-factor.com
syniverse-sso.com
syniverse-sso.net
teleperformance-incident.com
teleperformance-servicedesk.com
telint-helpdesk.com
telstra-sso.net
tmo.cx
tmobble.us
tmobie.org
transunion-sso.net
twiiiosso.com
twilio-sso.net
usceiiuiar.com
usceliuiar.com
wipro-inc.com
wiprohr.com
wlowes-sso.com
workingsolutions-corp.com
xub07-fdexwgl.us
yahoo-lnk.com
zd-corp.co
zd-corp.net
zdcorp.co
zdsso.net
zendesk-servicedesk.com
zendesk-sso.com
zendesk-sso.net
zendesksso.com

# Reference: https://x.com/banthisguy9349/status/1836787723065016678
# Reference: https://x.com/TLP_R3D/status/1837083934900789424

2-okta.com
account-okta.com
apexsumsol-okta.com
api-okta.com
apps.galaxydigital-okta.com
autoconfig.api-okta.com
autodiscover.api-okta.com
bitwise-okta.com
bitwise.bitwise-okta.com
campaignmonitor-okta.com
chia-okta.com
coinbase.reset-okta.com
corporatetools-okta.com
cosmotech.account-okta.com
dce-fleetdm.fleet-okta.com
deeptesting-okta.com
doodle-okta.com
example.hunters-okta.com
fleet-okta.com
flowdesk-okta.com
galaxydigital-okta.com
gravie-okta.com
hackerone-admin-okta.com
hackerone-okta.com
hubspot.login-okta.com
hunters-okta.com
iterable-okta.com
itbit-okta.com
jimdo-okta.com
kingston-okta.com
login-okta.com
login.corporatetools-okta.com
login.galaxydigital-okta.com
login.hunters-okta.com
login.jimdo-okta.com
login.login-okta.com
login.one.galaxydigital-okta.com
login.vice-okta.com
m.usaa-okta.com
mail.doodle-okta.com
mox-okta.com
mta-sts.api-okta.com
mx.doodle-okta.com
navi-okta.com
outlook.doodle-okta.com
reset-okta.com
scribe-api-okta.scribehow-okta.com
secure-okta.com
security-okta.com
shares-okta.com
squarespace-okta.com
tarsusrx-okta.com
turo.corporatetools-okta.com
usaa-okta.com
vice-okta.com
vice.vice-okta.com
yiwu-okta.com

# Reference: https://x.com/k3yp0d/status/1837769047204663338
# Reference: https://www.virustotal.com/gui/ip-address/199.247.14.229/relations
# Reference: https://www.virustotal.com/gui/ip-address/217.69.6.20/relations

amazonaws.work
eu-west-3.amazonaws.work
s3.amazonaws.work

# Reference: https://x.com/TLP_R3D/status/1838128760018673785

ultahub.com
ultainternal.com

# Reference: https://x.com/TLP_R3D/status/1838477165576196491

unchainedprod.com
unchainedprod-okta.com
