Type
Description
Artifact
IP
C2 server hosting apt.tar.gz, update.tar.gz, and amp.tar.gz.
130[.]94[.]6[.]228
IP
Target of a curl -ik command to verify HTTPS access to their infrastructure.
38[.]180[.]205[.]14
IP
Threat actor’s SoftEtherVPN server.
38[.]60[.]194[.]21
IP
Attacker IP
38[.]54[.]112[.]184
IP
Attacker IP
38[.]60[.]171[.]242
IP
Attacker IP
195[.]123[.]211[.]70
IP
Attacker IP
202[.]59[.]10[.]122
IP
Hosting malicious C2 domain.
38[.]60[.]252[.]66
IP
Hosting malicious C2 domain.
45[.]76[.]184[.]214
IP
Hosting malicious C2 domain.
45[.]90[.]59[.]129
IP
Hosting malicious C2 domain.
195[.]123[.]226[.]235
IP
Hosting malicious C2 domain.
65[.]20[.]104[.]91
IP
Hosting malicious C2 domain.
5[.]34[.]176[.]6
IP
Hosting malicious C2 domain.
139[.]84[.]236[.]237
IP
Hosting malicious C2 domain.
149[.]28[.]128[.]128
IP
Hosting malicious C2 domain.
38[.]54[.]31[.]146
IP
Hosting malicious C2 domain.
178[.]79[.]188[.]181
IP
Hosting malicious C2 domain.
38[.]54[.]37[.]196
IP
SoftEtherVPN server.
207[.]148[.]73[.]18
IP
SoftEtherVPN server.
38[.]60[.]224[.]25
IP
SoftEtherVPN server.
149[.]28[.]139[.]125
IP
SoftEtherVPN server.
38[.]54[.]32[.]244
IP
SoftEtherVPN server.
38[.]54[.]82[.]69
IP
SoftEtherVPN server.
45[.]76[.]157[.]113
IP
SoftEtherVPN server.
45[.]77[.]254[.]168
IP
SoftEtherVPN server.
139[.]180[.]219[.]115
User-Agent
GRIDTIDE User-Agent string.
Directory API Google-API-Java-Client/2.0.0 Google-HTTP-Java-Client/1.42.3 (gzip)
User-Agent
GRIDTIDE User-Agent string.
Google-HTTP-Java-Client/1.42.3 (gzip)
Domain
C2 domain
1cv2f3d5s6a9w[.]ddnsfree[.]com
Domain
C2 domain
admina[.]freeddns[.]org
Domain
C2 domain
afsaces[.]accesscam[.]org
Domain
C2 domain
ancisesic[.]accesscam[.]org
Domain
C2 domain
applebox[.]camdvr[.]org
Domain
C2 domain
appler[.]kozow[.]com
Domain
C2 domain
asdad21ww[.]freeddns[.]org
Domain
C2 domain
aw2o25forsbc[.]camdvr[.]org
Domain
C2 domain
awcc001jdaigfwdagdcew[.]giize[.]com
Domain
C2 domain
bab2o25com[.]accesscam[.]org
Domain
C2 domain
babaji[.]accesscam[.]org
Domain
C2 domain
babi5599ss[.]ddnsgeek[.]com
Domain
C2 domain
balabalabo[.]mywire[.]org
Domain
C2 domain
bggs[.]giize[.]com
Domain
C2 domain
bibabo[.]freeddns[.]org
Domain
C2 domain
binmol[.]webredirect[.]org
Domain
C2 domain
bioth[.]giize[.]com
Domain
C2 domain
Boemobww[.]ddnsfree[.]com
Domain
C2 domain
brcallletme[.]theworkpc[.]com
Domain
C2 domain
btbtutil[.]theworkpc[.]com
Domain
C2 domain
btltan[.]ooguy[.]com
Domain
C2 domain
camcampkes[.]ddnsfree[.]com
Domain
C2 domain
camsqewivo[.]kozow[.]com
Domain
C2 domain
ccammutom[.]ddnsgeek[.]com
Domain
C2 domain
cdnvmtools[.]theworkpc[.]com
Domain
C2 domain
cloacpae[.]ddnsfree[.]com
Domain
C2 domain
cmwwoods1[.]theworkpc[.]com
Domain
C2 domain
cnrpaslceas[.]freeddns[.]org
Domain
C2 domain
codemicros12[.]gleeze[.]com
Domain
C2 domain
cressmiss[.]ooguy[.]com
Domain
C2 domain
cvabiasbae[.]ddnsfree[.]com
Domain
C2 domain
cvnoc01da1cjmnftsd[.]accesscam[.]org
Domain
C2 domain
cvpc01aenusocirem[.]accesscam[.]org
Domain
C2 domain
cvpc01cgsdfn53hgd[.]giize[.]com
Domain
C2 domain
DCLCWPDTSDCC[.]ddnsfree[.]com
Domain
C2 domain
dlpossie[.]ddnsfree[.]com
Domain
C2 domain
dnsfreedb[.]ddnsfree[.]com
Domain
C2 domain
doboudix1024[.]mywire[.]org
Domain
C2 domain
evilginx2[.]loseyourip[.]com
Domain
C2 domain
examp1e[.]webredirect[.]org
Domain
C2 domain
faeelt[.]giize[.]com
Domain
C2 domain
fakjcsaeyhs[.]ddnsfree[.]com
Domain
C2 domain
fasceadvcva3[.]gleeze[.]com
Domain
C2 domain
ffosies2024[.]camdvr[.]org
Domain
C2 domain
fgdedd1dww[.]gleeze[.]com
Domain
C2 domain
filipinet[.]ddnsgeek[.]com
Domain
C2 domain
freeios[.]theworkpc[.]com
Domain
C2 domain
ftpuser14[.]gleeze[.]com
Domain
C2 domain
ftpzpak[.]kozow[.]com
Domain
C2 domain
globoss[.]kozow[.]com
Domain
C2 domain
gogo2025up[.]ddnsfree[.]com
Domain
C2 domain
googlel[.]gleeze[.]com
Domain
C2 domain
googles[.]accesscam[.]org
Domain
C2 domain
googles[.]ddnsfree[.]com
Domain
C2 domain
googlett[.]camdvr[.]org
Domain
C2 domain
googllabwws[.]gleeze[.]com
Domain
C2 domain
gtaldps31c[.]ddnsfree[.]com
Domain
C2 domain
hamkorg[.]kozow[.]com
Domain
C2 domain
honidoo[.]loseyourip[.]com
Domain
C2 domain
huygdr12[.]loseyourip[.]com
Domain
C2 domain
icekancusjhea[.]ddnsgeek[.]com
Domain
C2 domain
idstandsuui[.]kozow[.]com
Domain
C2 domain
indoodchat[.]theworkpc[.]com
Domain
C2 domain
jarvis001[.]freeddns[.]org
Domain
C2 domain
Kaushalya[.]freeddns[.]org
Domain
C2 domain
khyes001ndfpnuewdm[.]kozow[.]com
Domain
C2 domain
kskxoscieontrolanel[.]gleeze[.]com
Domain
C2 domain
ksv01sokudwongsj[.]theworkpc[.]com
Domain
C2 domain
lcskiecjj[.]loseyourip[.]com
Domain
C2 domain
lcskiecs[.]ddnsfree[.]com
Domain
C2 domain
losiesca[.]ddnsgeek[.]com
Domain
C2 domain
lps2staging[.]ddnsfree[.]com
Domain
C2 domain
lsls[.]casacam[.]net
Domain
C2 domain
ltiuys[.]ddnsgeek[.]com
Domain
C2 domain
ltiuys[.]kozow[.]com
Domain
C2 domain
mailsdy[.]gleeze[.]com
Domain
C2 domain
maliclick1[.]ddnsfree[.]com
Domain
C2 domain
mauritasszddb[.]ddnsfree[.]com
Domain
C2 domain
meetls[.]kozow[.]com
Domain
C2 domain
Microsoft[.]bumbleshrimp[.]com
Domain
C2 domain
ml3[.]freeddns[.]org
Domain
C2 domain
mlksucnayesk[.]kozow[.]com
Domain
C2 domain
mmmfaco2025[.]mywire[.]org
Domain
C2 domain
mms[.]bumbleshrimp[.]com
Domain
C2 domain
mmvmtools[.]giize[.]com
Domain
C2 domain
modgood[.]gleeze[.]com
Domain
C2 domain
Mosplosaq[.]accesscam[.]org
Domain
C2 domain
mysql[.]casacam[.]net
Domain
C2 domain
nenigncagvawr[.]giize[.]com
Domain
C2 domain
nenignenigoncqvoo[.]ooguy[.]com
Domain
C2 domain
nenigoncqnutgo[.]accesscam[.]org
Domain
C2 domain
nenigoncuopzc[.]giize[.]com
Domain
C2 domain
nims[.]gleeze[.]com
Domain
C2 domain
nisaldwoa[.]theworkpc[.]com
Domain
C2 domain
nmszablogs[.]ddnsfree[.]com
Domain
C2 domain
nodekeny11[.]freeddns[.]org
Domain
C2 domain
nodjs2o25nodjs[.]giize[.]com
Domain
C2 domain
Npeoples[.]theworkpc[.]com
Domain
C2 domain
officeshan[.]kozow[.]com
Domain
C2 domain
okkstt[.]ddnsgeek[.]com
Domain
C2 domain
oldatain1[.]ddnsgeek[.]com
Domain
C2 domain
onlyosun[.]ooguy[.]com
Domain
C2 domain
osix[.]ddnsgeek[.]com
Domain
C2 domain
ovmmiuy[.]mywire[.]org
Domain
C2 domain
palamolscueajfvc[.]gleeze[.]com
Domain
C2 domain
pawanp[.]kozow[.]com
Domain
C2 domain
pcmainecia[.]ddnsfree[.]com
Domain
C2 domain
pcvmts3[.]kozow[.]com
Domain
C2 domain
peisuesacae[.]loseyourip[.]com
Domain
C2 domain
peowork[.]ddnsgeek[.]com
Domain
C2 domain
pepesetup[.]ddnsfree[.]com
Domain
C2 domain
pewsus[.]freeddns[.]org
Domain
C2 domain
plcoaweniva[.]ddnsgeek[.]com
Domain
C2 domain
PolicyAgent[.]theworkpc[.]com
Domain
C2 domain
polokinyea[.]gleeze[.]com
Domain
C2 domain
pplodsssead222[.]loseyourip[.]com
Domain
C2 domain
pplosad231[.]kozow[.]com
Domain
C2 domain
ppsaBedon[.]gleeze[.]com
Domain
C2 domain
prdanjana01[.]ddnsfree[.]com
Domain
C2 domain
prepaid127[.]freeddns[.]org
Domain
C2 domain
PRIFTP[.]kozow[.]com
Domain
C2 domain
prihxlcs[.]ddnsfree[.]com
Domain
C2 domain
prihxlcsw[.]theworkpc[.]com
Domain
C2 domain
pxlaxvvva[.]freeddns[.]org
Domain
C2 domain
quitgod2023luck[.]giize[.]com
Domain
C2 domain
rabbit[.]ooguy[.]com
Domain
C2 domain
rsm323[.]kozow[.]com
Domain
C2 domain
saf3asg[.]giize[.]com
Domain
C2 domain
Scopps[.]ddnsgeek[.]com
Domain
C2 domain
sdhite43[.]ddnsfree[.]com
Domain
C2 domain
sdsuytoins63[.]kozow[.]com
Domain
C2 domain
selfad[.]gleeze[.]com
Domain
C2 domain
serious[.]kozow[.]com
Domain
C2 domain
setupcodpr2[.]freeddns[.]org
Domain
C2 domain
sgsn[.]accesscam[.]org
Domain
C2 domain
Smartfren[.]giize[.]com
Domain
C2 domain
sn0son4t31bbsvopou[.]camdvr[.]org
Domain
C2 domain
sn0son4t31opc[.]freeddns[.]org
Domain
C2 domain
soovuy[.]gleeze[.]com
Domain
C2 domain
styuij[.]mywire[.]org
Domain
C2 domain
supceasfg1[.]loseyourip[.]com
Domain
C2 domain
systemsz[.]kozow[.]com
Domain
C2 domain
t31c0mjumpcuyerop[.]ooguy[.]com
Domain
C2 domain
t31c0mopamcuiomx[.]kozow[.]com
Domain
C2 domain
t31c0mopmiuewklg[.]webredirect[.]org
Domain
C2 domain
t31c0mopocuveop[.]accesscam[.]org
Domain
C2 domain
t3lc0mcanyqbfac[.]loseyourip[.]com
Domain
C2 domain
t3lc0mczmoihwc[.]camdvr[.]org
Domain
C2 domain
t3lc0mh4udncifw[.]casacam[.]net
Domain
C2 domain
t3lc0mhasvnctsk[.]giize[.]com
Domain
C2 domain
t3lm0rtlcagratu[.]kozow[.]com
Domain
C2 domain
tch[.]giize[.]com
Domain
C2 domain
telcomn[.]giize[.]com
Domain
C2 domain
telen[.]bumbleshrimp[.]com
Domain
C2 domain
telkom[.]ooguy[.]com
Domain
C2 domain
telkomservices[.]theworkpc[.]com
Domain
C2 domain
thbio[.]kozow[.]com
Domain
C2 domain
timpe[.]kozow[.]com
Domain
C2 domain
timpe[.]webredirect[.]org
Domain
C2 domain
tlse001hdfuwwgdgpnn[.]theworkpc[.]com
Domain
C2 domain
tltlsktelko[.]ddnsfree[.]com
Domain
C2 domain
transport[.]dynuddns[.]net
Domain
C2 domain
trvcl[.]bumbleshrimp[.]com
Domain
C2 domain
ttsiou12[.]loseyourip[.]com
Domain
C2 domain
ua2o25yth[.]ddnsgeek[.]com
Domain
C2 domain
udieyg[.]gleeze[.]com
Domain
C2 domain
unnjunnani[.]ddnsfree[.]com
Domain
C2 domain
updatamail[.]kozow[.]com
Domain
C2 domain
updatasuccess[.]ddnsgeek[.]com
Domain
C2 domain
updateservices[.]kozow[.]com
Domain
C2 domain
updatetools[.]giize[.]com
Domain
C2 domain
uscplxsecjs[.]ddnsgeek[.]com
Domain
C2 domain
USOShared1[.]ddnsfree[.]com
Domain
C2 domain
vals[.]bumbleshrimp[.]com
Domain
C2 domain
vass[.]ooguy[.]com
Domain
C2 domain
vass2025[.]casacam[.]net
Domain
C2 domain
vmtools[.]camdvr[.]org
Domain
C2 domain
vmtools[.]loseyourip[.]com
Domain
C2 domain
vosies[.]ddnsfree[.]com
Domain
C2 domain
vpaspmine[.]freeddns[.]org
Domain
C2 domain
wdlcamaakc[.]ooguy[.]com
Domain
C2 domain
winfoss1[.]kozow[.]com
Domain
C2 domain
ysiohbk[.]camdvr[.]org
Domain
C2 domain
zammffayhd[.]ddnsfree[.]com
Domain
C2 domain
zmcmvmbm[.]ddnsfree[.]com
Domain
C2 domain
zwmn350n3o1fsdf3gs[.]kozow[.]com
Domain
C2 domain
zwmn350n3o1ugety2xbe[.]camdvr[.]org
Domain
C2 domain
zwmn350n3o1vsdrggs[.]ddnsfree[.]com
Domain
C2 domain
zwt310n3o1unety2kab[.]webredirect[.]org
Domain
C2 domain
zwt310n3o2unety6a3k[.]kozow[.]com
Domain
C2 domain
zwt31n3t0nidoqmve[.]camdvr[.]org
Domain
C2 domain
zwt3ln3t1aimckalw[.]theworkpc[.]com
SHA256 Hash
Self-signed X.509 SSL certificate
d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606
Source Credit: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/
About the Author
![The Global Service Mesh [1/4]: Cloud Service Mesh & Cloud Run](https://cdn-images-1.medium.com/max/1024/1*iAewBZzSmujnCVIxaXoJ-w.png "The Global Service Mesh [1/4]: Cloud Service Mesh & Cloud Run")
