Subscribe to Help Center RSS Feed
- This article was updated on 2023-08-03 to modify instructions on blocking/alerting on IP addresses.
- The lists in this article were last updated on 2023-07-14 14:47 UTC. If you haven’t updated since that date, please use the most up-to-date list.
Based on our investigation, we have identified the following malicious IP addresses and hashes to block and avoid at all costs. Please use this data to add additional protection to your Endpoint Detection and Response (EDR) and perimeter security solutions. This list may be updated periodically.
Use the following list of IP addresses to inspect logs between June 20 and July 5 for any suspicious activity:
- 1.254.24.19
- 185.152.67.39
- 70.39.103.3
- 66.187.75.186
- 104.223.86.8
- 100.21.104.112
- 23.95.182.5
- 78.141.223.50
- 116.202.251.38
- 89.44.9.202
- 192.185.5.189
- 162.241.248.14
- 179.43.151.196
- 45.82.250.186
- 162.19.3.23
- 144.217.92.197
- 23.29.115.171
- 167.114.188.40
- 91.234.199.179
Threat actors do not re-use IP addresses, and many of them will be recycled. Continued blocking/alerting on these can result in false positives or block legitimate traffic.
Block all of the following domains for ingress and egress:
- nomadpkgs[.]com
- centos-repos[.]org
- datadog-cloud[.]com
- toyourownbeat[.]com
- datadog-graph[.]com
- centos-pkg[.]org
- primerosauxiliosperu[.]com
- zscaler-api[.]org
- nomadpkg[.]com
- launchruse[.]com
- Reggedrobin[.]com
- Canolagroove[.]com
- alwaysckain[.]com
Do NOT allow these hashes to be executed:
SHA256: 9151ff77b65eeacd5cdddd13c041db3ad9818fd2aebe05d8745227fac7e516b8
SHA1: 92480e506d51d920fcc1d4dba7206c3185317f61
MD5: 3a9c24c92c221658a8bf9ce61d758e1a
SHA256: 4dc71b659c9277c7bb704392f8af5b6b2fbc9a66d3ad80d8cb4df0bd686f0e86
SHA1: cb0e71340f963f7f2f404a0431d82ac809d2b15d
MD5: b8724109e5473b4ca79a13c33b865e32
As a reminder, please do not reach out to these IPs or URLs directly from your company’s infrastructure. Please use a tool such as VirusTotal when evaluating IoCs.