WIZARD SPIDER’s Ransomware uses 500+ domains to steal credentials


We are all aware of the new ransomware “WIZARD SPIDER”. We believe that there is a curious connection between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit.


RiskIQ’s Team Atlas and Microsoft’s Threat Intelligence Center (MSTIC) collaborated in September 2021 to release technical findings on a wave of malicious activity that used CVE-2021-40444, a vulnerability in MSHTML that allows remote code execution on a victimized Windows PC. This activity’s operational origins are said to have started in February of 2021. The network infrastructure employed in this campaign has a lot of overlap with the network architecture linked with WIZARD SPIDER, according to RiskIQ and Microsoft.

Who is WIZARD SPIDER (aka UNC1878)?

WIZARD SPIDER (aka UNC1878) is a large, Russia-based, criminal enterprise that has operated the Trickbot, Bazar, and Anchor families of malicious Remote Access Trojans (RATs) and has been observed deploying the Conti and Ryuk ransomware families in “Big-Game Hunting” campaigns that target large enterprises.

Initial Gatherings:

  • WIZARD SPIDER used non-public IP addresses as Command and Control (C2) nodes for Cobalt Strike, which the group used as a post-intrusion tool prior to the deployment of Ryuk and Conti ransomware. The overlaps that Microsoft and RiskIQ discovered were related to supporting infrastructure, in the form of non-public IP addresses, used by WIZARD SPIDER as C2 nodes for Cobalt Strike, which the group used as a post-intrusion tool prior to Domain registrant information (particularly the registrant email address) provided when purchasing the domains used to create TLS certificates revealed additional overlap (thus enabling TLS encryption for the Cobalt Strike C2 traffic between victim and attacker).
  • WIZARD SPIDER’s C2 infrastructure was ascribed to an extensive list of IP addresses and TLS certificates (and their associated domain names) provided by RiskIQ’s Team Atlas. PACT was able to cross-reference and validate the Naver-themed phishing activity detected with WIZARD SPIDER’s operations using this list.
  • During their studies, both research teams discovered anomalies that suggest the overlap isn’t indicative of a WIZARD SPIDER operation, but rather of numerous actors using the same network infrastructure. Multiple operators utilising known compromised servers, a “kind of command-and-control infrastructure as a service for cybercriminals,” or some other shared resource not owned by a single threat actor might all be to blame for the overlap.
  • PACT found a research area (mailmangecorp[.]us) via a tweet by Joe Slowik within 4 months while conducting standard investigation and analysis of harmful web-based infrastructure. PACT analysts began painstakingly establishing a network of targeted phishing infrastructure geared to gather legitimate Naver login credentials after this initial discovery. The Naver Corporation is a major, regionally popular internet platform that offers dozens of customer-facing services (e.g., email, search, social, and payment) and is comparable to a South Korean Google.
  • PACT analysts discovered commonalities with the WIZARD SPIDER architecture, discussed above, while researching the hosting infrastructure used to deliver the Naver-themed phishing pages, based on RiskIQ’s and Microsoft’s joint reports. This blog will go over PACT’s findings and methods, as well as the overlaps with WIZARD SPIDER infrastructure and significant conclusions that may offer fresh light on Microsoft and RiskIQ’s alternate hypothesis.


Naver-themed Phishing Activity:

PACT discovered 542 unique domains as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, while others were registered as recently as February of 2022. The remaining domains were of unknown provenance, were part of previously disclosed prior malicious infrastructure that PACT observed as part of this cluster, or was otherwise abnormal but linked by hosting or registration connections. The complete list of 532 Naver-themed phishing domains may be seen in the report’s annex.

PACT’s investigation’s “critical nodes*” turned out to be IP addresses and, when available, domain registrant personalities (identified and tracked by the registration email address used to register the domain). The first critical node discovered was IP 172.93.201[.]253; PACT’s analysis immediately revealed that this IP was used by a huge number of Naver-themed phishing pages with a common registrant (mouraesse[@]gmail[.]com).

Image 1-The below image represents the Numerous domains registered by mouraesse@gmail[.]com resolved to 172.93.201[.]253:

Image 2-Naver-themed domain hosted on IP 172.93.201[.]253 displaying an HTTP/302 redirect to a spoofed Naver login page on “000webhostapp[.]com” as seen below –

PACT was able to determine that many domains registered with the registrant email “mouraesse@gmail[.]com” were resolving to another IP address, 23.81.246[.]131, by pivoting on the registrant email “mouraesse@gmail[.]com.” The initial link between the Naver credential phishing activity and the claimed WIZARD SPIDER infrastructure was created by this IP address, which became a significant node in PACT’s investigation. However, before we go into detail about our results on these reported overlaps, there are a few more crucial nodes that are entirely within the Naver-themed phishing activity cluster:

  • Registrant email addresses “peterstewart0326@gmail[.]com” and “kimkl0222@hotmail[.]com”, which appear to have been used jointly and by the same actor, registered over 100 Naver-themed phishing domains.
  • Registrant email addresses “tree99111@hotmail[.]com” and “jhonsteven0001@hotmail[.]com”, which also appear to have been used jointly and by the same actor, registered 69 domains, some of which had previously resolved to critical node 23.81.246[.]131.

Image 3- The below image shows the Persona behind the email addresses “peterstewart0326@gmail[.]com” and “kimkl0222@hotmail[.]com” shown along with Naver-themed domain registrations and the associated resolutions.

IP addresses:


  • Part of ASN 19148 (LeaseWeb USA, Inc.), along with critical node 23.81.246[.]131
  • Linked via pDNS resolutions to many domains registered by the “kimkl0222@hotmail[.]com / peterstewart0326@gmail[.]com” actor


  • Part of ASN 16276 (OVH SAS), along with critical node “15.235.132[.]77”, seen below
  • Linked via pDNS resolutions to many domains registered by the “kimkl0222@hotmail[.]com / peterstewart0326@gmail[.]com” actor
  • Displayed TTP overlap (IP seen serving HTTP/302 redirects to Naver phishing pages).

Image 4-This the picture that shows critical node IP address 198.244.135[.]244 observed serving HTTP/302 redirects, a TTP overlap with the Naver-phishing actor:


  • Part of ASN 16276 (OVH Singapore PTE. LTD), along with critical node “198.244.135[.]244”, seen above
  • Provided overlap with domains registered by the “kimkl0222@hotmail[.]com / peterstewart0326@gmail[.]com” actor that allowed PACT to identify additional WHOIS domain registrant “gameproducters@outlook[.]com”


  • Part of ASN 395954 (Leaseweb USA, Inc.)
  • Provided overlap with domains registered by the “kimkl0222@hotmail[.]com / peterstewart0326@gmail[.]com” actor
  • Displayed TTP overlap (IP seen serving HTTP/302 redirects, notably to the legitimate Naver login page).

Notably, none of the crucial node IP addresses listed above, including 23.81.246[.]131, appear to be commercial shared web hosting addresses (as historic resolutions only include the Naver phishing activity). Furthermore, despite the fact that public scan data for all 5 IP addresses is limited, they all appear to be Windows workstations with self-issued TLS certificates.

The reader should also be aware of the typical use of the HTTP 302 Redirect to guide victims to the intended page. On Hostinger’s web hosting platform “000webhostapp[.]com,” PACT discovered HTTP 302 Redirects to both additional Naver-themed phishing domains (as seen in Image 4 above) and to various Naver-themed phishing subdomains. On the crucial node IP address 23.81.246[.]131 (along with an expired, self-signed TLS certificate), an example displays below:

Image 5: HTTP/302 redirect to 000webhostapp[.]com (a TTP overlap) identified on critical IP 23.81.246[.]131

This screenshot from Shodan’s ‘host’ page for 23.81.246[.]131 (last seen date: 2022-02-15) shows how phishing infrastructure can be set up, regardless of the final phishing URL hosted on “000webhostapp[.]com”:

  • Victim clicks or otherwise navigates to one of the 500+ Naver-themed domain names.
  • The DNS A-record for an arbitrary number of them is set to an IP address with a web server configured similar to the way that 23.81.246[.]131 is set up (with a generic, catchall HTTP 302 Redirect) to a subdomain of  “000webhostapp[.]com.
  • Victim’s browser redirects them to the “000webhostapp[.]com” domain, where they are served a convincing replica of the Naver login page.
  • Victim enters their credentials, which are captured and now compromised.

This setup is built to endure domain attrition, which is frequent in widely-distributed phishing campaigns and is caused by phishing domains being recognized, reported, and taken down or blocked listed. The threat actor’s infrastructure becomes more resilient by separating the final phishing URL from the first victim-facing URL. Additionally, because the phishing kit is hosted on a reputable hosting platform, the final URLs hosting the phish kit are more likely to be “allow listed” or not extensively scrutinized.

Phishing for Naver credentials looks to be common, which could suggest how valuable authentic logins are. The threat actor’s TTP differed from those seen by AhnLab’s ASEC: they didn’t employ tech-themed domains, didn’t use HTTP 302 Redirects to guide victims to the final credential-gathering page, and the one-time-use number and QR code functionality wasn’t configured. Although we were unable to verify if users were effectively compromised using these methods, the Naver-themed phishing pages that PACT evaluated featured working one-time-use number and QR code functionality.

Images 6 & 7: the Naver phishing pages PACT analyzed supported one-time-password and QR code functionality

The subdomains that PACT was able to identify on “000webhostapp[.]com” serving spoofed-Naver phishing pages are included in the annex at the end of this report.  Due to the ease with which the operator can create new subdomains on this hosting platform, this list is likely outdated and/or incomplete.

IIb: Overlaps with Reported WIZARD SPIDER Infrastructure:

  • PACT claimed in section ‘IIa: Naver-themed Phishing Activity’ that there were parallels between the network infrastructure supporting the Naver phishing activity and that of WIZARD SPIDER’s prior network infrastructure. IP 23.81.246[.]131 was the first to notice the overlap (seen in Image 5, above, displaying TTP overlap).
  • PACT’s analysts first found this IP address when trying to figure out which of the 58 phishing domains registered by “mouraesse@gmail[.]com” were actively resolving, if any. The domain “navermailcorp[.]com” was resolving to “23.81.246[.]131” at the time of initial analysis, which PACT determined resulted in an HTTP Redirect to a faked Naver login page on “*.000webhostapp[.]com.”
  • Additional research turned up two malware samples associated with IP 23.81.246[.]131, according to VirusTotal:

Image 8: Malicious files seen communicating with IP of interest 23.81.246[.]131

The extracted Cobalt Strike Beacon (post-exploitation payload) configuration for one of the samples displays the same watermark identified by a security researcher on Twitter who identified these samples as part of a cluster of activity exploiting CVE-2021-40444, which was confirmed by open-source reporting. In addition, the other sample’s network behavior indicates HTTP connections to “hubojo[.]com” and “bideluw[.]com.” These two domains are significant since they both match the recovered Beacon configuration from the previous sample and represent additional, distinct linkages to 23.81.246[.]131:

  • “bideluw[.]com” was observed resolving to this IP via pDNS
  • RiskIQ reported that this IP previously served the certificate for “hubojo[.]com”, tying it to a Cobalt Strike C2 server (validating the extracted Beacon configuration from VirusTotal).

These observations all serve to bolster the previous reports of an actor using this infrastructure to support a campaign exploiting CVE-2021-40444 and to host Cobalt Strike.

PACT noticed that more than 40 of the Naver-themed phishing domains had resolved to IP 23.81.246[.]131, which was noteworthy given the historical findings. Throughout the research, PACT discovered a number of emergent resolutions, indicating that this activity is still occurring on and that this infrastructure is still in use. Throughout the pre-publication pipeline, PACT’s analysis found several domains registered in March 2022.

Additional Findings:

In addition to the connections supplied by 23.81.246[.]131, IP 23.19.227[.]176 revealed another overlap. This IP was originally linked to “naverservice[.]host” (a Naver phishing cluster), but it was also included in RiskIQ’s analysis as part of the same Cobalt Strike C2 infrastructure used by the actor that exploited CVE-2021-40444. It was linked to “pawbug[.]com” in this example, which PACT independently confirmed using pDNS.

Another link to the infrastructure outlined in RiskIQ’s research is IP 23.106.215[.]141, which is formed by a link between “naverncorp[.]com” and “maloxob[.]com.” A Cobalt Strike C2 server was also discovered at the domain “maloxob[.]com.” PACT’s analysts were also led to another domain, cebuwu[.]com, which will be discussed later in this report.

Image 9: Critical overlaps between RiskIQ’s previous findings & the Naver-themed phishing activity.

Two more IP addresses that are believed to represent shared resources were discovered to have overlaps:

  • 184.168.221[.]39: ties together “mailhelp[.]online” (part of the cluster targeting Naver) with “jumpbill[.]com” and “raills[.]com” (reported as Cobalt Strike C2s by RiskIQ).
  • 195.186.208[.]193: ties together at least two of the domains seen in the Naver phishing activity (“navrcorp[.]site” & “navercorps[.]online”) and dozens of the Cobalt Strike domains reported by RiskIQ


IIIa. Analytic Gaps & Anomalous Findings:

PACT discovered a number of abnormalities and anomalies when evaluating and processing the data revealed in this inquiry. They are listed in no particular order below:

  • The majority of the domains identified as part of the Naver-phishing cluster of activity were not protected by privacy settings, making it easy for analysts to find other domains with the same registrant information (e.g., email address). Privacy has become a de facto standard during the domain registration process as a result of WHOIS Privacy and GDPR. It’s unusual to come across a cluster of activity, particularly one linked to a named threat group like WIZARD SPIDER, in which all of the domain-based infrastructure is unobscured by privacy protection services.
  • The domain-generation algorithm and other TTPs of the Threat Actor managing the Cobalt Strike infrastructure were revealed by RiskIQ’s study. As a result of this insight, PACT identified two domains: cebuwu[.]com and lertwo[.]com, which matched RiskIQ’s evaluation of the actor’s TTPs. In the following ways, these two domains intersected with earlier reporting:
    • They are between six to eight alphabetic characters in length, which aligns with the Domain Generation Algorithm (DGA) likely used by the threat actor(s).
    • They utilize the “.COM” top level domain (TLD).
    • The domain cebuwu[.]com used the legitimate Certificate Authority “Sectigo”.
    • The domain cebuwu[.]com was identified via 23.106.215[.]141, which also links another Cobalt Strike C2 domain reported by RiskIQ (maloxob[.]com) and the Naver-themed activity (via naverncorp[.]com).
    • Likewise, past resolutions link the domain lertwo[.]com to both the Cobalt Strike C2 activity (195.186.208[.]193, 195.186.210[.]241) as well as the naver activity (navrcorp[.]site, navercorps[.]online, navertechp[.]online).  It is likely that these resolutions are the result of shared hosting or a pooled resource with many customers but the overlap is notable nonetheless, as it may indicate an operator preference or behavioral TTP.
  • The domain disneycareers[.]net was discovered during an investigation of important node IP 172.93.201[.]253, which appears to be a convincingly designed imitation of Disney’s real careers page: jobs.disneycareers[.]com. In addition to being labelled as malicious by Google’s Safebrowsing service, the mimic site is hosted on Namecheap’s network and is not registered with CSC CORPORATE DOMAINS, INC. (as Disney’s actual site is). The simulated site’s appearance altered dramatically during the examination, presumably indicating active development. Furthermore, the TLS certificate was issued by Sectigo, which corresponds to the behaviour described above for the Cobalt Strike C2 domains’ Certificate Authority of Choice.Although the purpose of this mockup domain is unknown, the criminal nexus surrounding the rest of the associated infrastructure should be enough to trigger further investigation and could perhaps imply targeted attacks.


  • PACT believes that the Naver-themed phishing activity is extremely likely to be operationally tied to the Cobalt Strike infrastructure discovered by RiskIQ (and mentioned by Microsoft).
  • Furthermore, PACT would like to highlight that these findings do not necessarily imply that WIZARD SPIDER is responsible for the discrete clusters of activity discovered on this infrastructure.
  • The fact that this infrastructure has been utilised to close several different killchain links across multiple campaigns (and maybe by different actors), along with the observations made by RiskIQ and Microsoft, may lend more credence to the ideas they’ve put up. 

According to Risk IQ,

“Despite the historical connections [between WIZARD SPIDER and the Cobalt Strike C2 infrastructure], we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible.”

According to Microsoft,

“The infrastructure we associate with DEV-0365 has significant behavioral overlaps and distinct identifying traits with Cobalt Strike infrastructure, implying that it was constructed or controlled by a different set of operators.” However, further behavior from this infrastructure suggests that human-operated ransomware attacks are linked to various threat actors or clusters (including the deployment of Conti ransomware). DEV-0365 may be involved in a type of command-and-control infrastructure as a service for cybercriminals, according to one theory.”


The latter is particularly noteworthy, according to PACT, because the Naver-themed phishing activity that was first uncovered does not appear to be the work of a ransomware gang. Pre-ransomware activity (such as mass phishing and credential gathering) is often handled by affiliates or brokers that provide access to ransomware operators, while post-compromise operations, ransomware development, and deployment/encryption are handled by other organizations.

Within the illegal business model of ransomware-as-a-service (RaaS), this separation of roles is typical. PACT’s findings of the additional “uncertainty surrounding the nature of the shared qualities” of this infrastructure and the “significant variation in malicious activity,” similar to what Microsoft and RiskIQ reported, strengthen the hypotheses put forward by both firms: multiple entities could be utilizing the same third party providing “bulletproof hosting” services to conduct their operations. PACT was unable to rebut this theory, and as a result, it has a moderate level of confidence that an unreported illicit hosting business is operating on this infrastructure. PACT was only able to find ties to the alleged WIZARD SPIDER activity through hosting and DNS resolutions; no additional operational mechanisms were found to link to the reported WIZARD SPIDER activity (such as registrants, malicious samples, etc).

As a result, the evidence points to a new and rising “infrastructure as a service for cybercriminals.

Detection Opportunities & Indicators of Compromise:

acc-center[.]site               naveewteam[.]site           navermailservice[.]host  navportal[.]online

acks[.]tech          naveloga[.]online             navermailservice[.]online              navportalcenter[.]site

centersecurity[.]link         navelosa[.]host  navermailservice[.]site    navportalcorp[.]site

cloudalarm[.]online          naveoccorp[.]link              navermailteam[.]online  navportalsec[.]site

cloudalarm[.]site              naveoccorp[.]online         navermanage[.]com        navportalsecs[.]site

cloudalarm[.]space          naveocenter[.]link            navermanage[.]live          navportalservice[.]site

cloudalarm[.]tech             naveocop[.]link  navermanage[.]online     navrcenter[.]site

cloudalarm[.]website      naveocorp[.]link navermanage[.]space     navrcorp[.]site

cloudalarm[.]xyz               naveocorp[.]online           navermanagecorp[.]online            navrcorp[.]tech

cloudcentre[.]online        naveocorp[.]site               navermanagecorp[.]site navrcorp[.]xyz

cloudcentre[.]site             naveocorp[.]tech              navermanager[.]online   navrpcenter[.]site

cloudcentre[.]space         naveocorp[.]website        navermanager[.]site        navrrcorp[.]site

cloudcentre[.]store          naveocorps[.]link              navermanagerteam[.]site             navrrcorp[.]tech

cloudcentre[.]tech           naveoecorp[.]tech            navermanageteam[.]com              navsceteam[.]site

cloudcentre[.]website     naveogains[.]tech            navermcorp[.]com           navseccenter[.]site

cloudcentre[.]xyz              naveolink[.]online             navermgr[.]site  navseccorp[.]link

corpcenternav[.]site        naveologs[.]online            navermgr01[.]host           navseccorp[.]online

corpnavcenter[.]site        naveooccorp[.]online       navermgr01[.]site            navseccorp[.]site

corpnavsec[.]site              naveoocorp[.]link             navermgr02[.]site            navsecncenter[.]site

corprsecurity[.]tech         naveoocorp[.]online         naverncorp[.]com             navsecnet[.]online

corpseccenter[.]site         naveoocorp[.]site             navernidcorp[.]com         navsecorg[.]tech

corpsecnav[.]site              naveoocorp[.]xyz              navernidcorp[.]online      navsecportal[.]site

corpsecservice[.]site        naveoorcorp[.]link            navernidcorp[.]site           navsecportal[.]tech

havcorp[.]site     naveorcorp[.]host             navernidlog[.]live             navsecportals[.]tech

havecorp[.]link   naveorcorp[.]link              navernidmail[.]com          navsecsite[.]tech

havecorp[.]tech naveorcorp[.]online         navernidmail[.]online      navsecteam[.]tech

haveecorp[.]site               naveorcorp[.]site              naverocenter[.]site          navsecteam[.]website

haveorcorp[.]tech            naveorcorp[.]tech            naverocorp[.]link              navsecuritycenter[.]site

havercorp[.]site naveorrcorp[.]online        naverocorp[.]online         navsecuritycenter[.]tech

havercorp[.]tech               naveorrcorp[.]tech           naverocorp[.]site              navsecuritycorp[.]link

havercorps[.]site              naveorseccorp[.]link        naverocorp[.]tech            navsecuritycorp[.]site

havercorpteam[.]site       naveorteam[.]site            naverocorpteam[.]site    navsecurityportal[.]online

haverocorp[.]link              naveoscorp[.]link              naveronavteam[.]site      navsecurityteam[.]tech

havoocorp[.]online           naveoteam[.]online         naveroocorp[.]link            navsecvcorp[.]online

havoocorp[.]tech              naveoteam[.]site              naveroocorp[.]site            navsecvteam[.]site

havorcorp[.]link naver-accounts[.]com     naverooteam[.]site          navserveportal[.]site

havorcorp[.]online            naver-sec[.]net  naverooteam[.]tech         navservicecenter[.]site

havorcorp[.]site naver-sec[.]org  naverorcorp[.]tech           navservicescenter[.]online

havorcorp[.]tech               naver-security[.]net         naverorg[.]site   navserviceteam[.]com

havorcorpsv[.]online        naver-security[.]org         naverorteam[.]link           navserviceteam[.]site

mailcontactteam[.]online              naver-services[.]com       naverorteam[.]online               navserviceucenter[.]site

mailcorp[.]site    naveradmin[.]online        naveroscope[.]tech          navservicevcenter[.]site

mailcorpcenter[.]online  naveradmin00[.]tech       naveroteam[.]online        navsite[.]online

mailcorpcenter[.]site       naveradmin01[.]link         naveroteam[.]tech           navsvcorp[.]tech

mailcustomerservice[.]site            naveradmin01[.]site        naverovocorp[.]site          navsvportal[.]tech

mailhelp[.]online              naveradmin02[.]site        naverovvcorp[.]tech        navteam[.]online

mailmanagecorp[.]online              naveradmin03[.]site        naverrcorp[.]site               navteamcorp[.]link

mailmanagecorp[.]site    naveradmin04[.]tech       naverreda[.]xyz  navvccenter[.]online

mailmanageservice[.]com             naveradmin05[.]site        naverredb[.]xyz  navvcorp[.]host

mailmanageteam[.]com naveradmin06[.]online    naverredc[.]xyz  navvcorp[.]link

mailmanageteam[.]site  naveradmin07[.]site        naverredd[.]xyz  navvcorp[.]online

mailmangecorp[.]us         naveradmina[.]tech         naverrede[.]xyz  navvcorp[.]site

mailportalcenter[.]online               naveralert[.]link naverredirect[.]live          navvctr[.]link     

mailportalcenter[.]site    naveranid[.]live  naverrteam[.]site             navvctr[.]site     

mailscropcenter[.]site     naverccorp[.]com             naversec[.]site   navvctr[.]tech

mailsecurity[.]email         navercert[.]live  naversecurity[.]site          navvctvr[.]site

mailservice[.]digital         navercert[.]online            naversecurityservice[.]online               navveoocorp[.]online

mailservice[.]host             navercoa[.]store               naversecurityteam[.]com              navvocorp[.]online

mailservicecenter[.]site  navercob[.]store               naverservice[.]email        navvocorp[.]site

mailservicecenters[.]site               navercoc[.]store               naverservice[.]host          navvrcorp[.]site

mailservicecorp[.]online navercod[.]store               naverservice[.]link            navvsecurity[.]site

mailservicecorp[.]site      navercoe[.]store               naverservice[.]online       navvtr[.]site       

mailservicemanage[.]com             navercoma[.]tech             naverservice[.]site           navvtrr[.]site     

mailserviceteam[.]com   navercomb[.]tech             naverservicecorp[.]com  navvtrs[.]site     

mailserviceteam[.]email navercomc[.]tech             naverservicecorp[.]online              navvtrw[.]site

mailserviceteam[.]host   navercomd[.]tech             naverservicecorp[.]site   nevercorp[.]online

mailserviceteam[.]online               navercome[.]tech             naverserviceteam[.]com nevercorp[.]site

mailserviceteam[.]site    navercop[.]link   naverserviceteam[.]email             nevercorp[.]tech

mailteam[.]site  navercop[.]online             naverserviceteam[.]site  neverrcorp[.]tech

msite[.]host        navercorp[.]email             navertcorp[.]com             nidanaver[.]tech

naswsteam[.]site              navercorp[.]live naverteam[.]live               nidbnaver[.]tech

nauercorp[.]site navercorp[.]site naverteam[.]site               nidcnaver[.]com

nauercorp[.]website        navercorpa[.]tech            naverteam01[.]site          nidcnaver[.]tech

nauercorpa[.]online         navercorpa[.]website      naverteamcorp[.]com     niddnaver[.]tech

nauercorpb[.]online         navercorpb[.]online         naverteamcorp[.]live       nidinaver[.]com

nauercorpc[.]online         navercorpb[.]tech            naverteamcorp[.]site       nidnavcenter[.]link

nauercorpd[.]online         navercorpb[.]website      navertecha[.]host             nidnavcenter[.]online

nauercorpteam[.]website              navercorpc[.]online          navertechb[.]site              nidnavcenter[.]site

nauermanager[.]website               navercorpc[.]tech             navertechc[.]email           nidnavportal[.]site

navaccountcenter[.]online            navercorpc[.]website      navertechd[.]net              nidnavscenter[.]xyz

navadmin[.]site  navercorpd[.]online         naverteche[.]link              nidnavsecurity[.]tech

navadmin01[.]site            navercorpd[.]tech            navertechf[.]host             nidpavsec[.]digital

navcen[.]site      navercorpd[.]website      navertechg[.]site              nidportalnav[.]online

navcenter[.]xyz  navercorpe[.]online         navertechh[.]online         nidseccenter[.]host

navcenterportal[.]site     navercorpe[.]tech            navertechi[.]link               nidseccenter[.]site

navcopcenter[.]tech        navercorpe[.]website      navertechj[.]host              nidsecuritycenter[.]online

navcorp[.]host    navercorpf[.]online          navertechk[.]site              nidsecuritycorp[.]tech

navcorp[.]link     navercorpf[.]tech             navertechl[.]online           noreplya[.]online

navcorp[.]space navercorpf[.]website       navertechm[.]link             noreplya[.]site

navcorp[.]website            navercorpg[.]online         navertechn[.]host             noreplya[.]space

navcorpacenter[.]site      navercorpg[.]tech            navertecho[.]site              noreplya[.]tech

navcorpcenter[.]site        navercorpg[.]website      navertechp[.]online         noreplya[.]website

navcorpctr[.]online          navercorph[.]online         navertechq[.]link              noreplya[.]xyz

navcorpctr[.]site               navercorph[.]tech            navertechr[.]host             noreplyb[.]online

navcorpmanage[.]site     navercorph[.]website      navertechs[.]site              noreplyb[.]site

navcorpmanager[.]site    navercorpi[.]online           navertecht[.]online          noreplyb[.]space

navcorpmanager[.]website           navercorpi[.]tech              navertechu[.]link              noreplyb[.]store

navcorpportal[.]xyz          navercorpj[.]online           naverurl[.]xyz     noreplyb[.]tech

navcorps[.]site   navercorpj[.]tech              navervteam[.]site             noreplyb[.]website

navcorps[.]website          navercorpk[.]online          naveservice[.]site             noreplyb[.]xyz

navcorpscenter[.]site      navercorpk[.]tech             navevcorp[.]link novercorp[.]site

navcorpsecurity[.]site      navercorpl[.]online           navevcorp[.]online           nvrcopa[.]link

navcorpserver[.]site         navercorpl[.]tech              navevcorp[.]site nvrcopb[.]link

navcorpservice[.]site       navercorpm[.]online        navevrcorp[.]online          nvrcopc[.]link

navcorpservice[.]website              navercorpmanager[.]online          navhelp[.]online nvrcope[.]site

navcorpsite[.]online         navercorpn[.]online         navmailcenter[.]site        nvrcopf[.]site     

navcorpssec[.]tech           navercorpo[.]online         navmailcorp[.]site            nvricop[.]online

navcorpsuppot[.]site        navercorpp[.]online         navmailserver[.]site         nvrjcop[.]online

navcorpteam[.]online      navercorpq[.]online         navmanage[.]online         nvscetr[.]site     

navcorpteam[.]site          navercorpr[.]online          navmanager[.]site            portalcorpsec[.]site

navcorpteam[.]website   navercorps[.]online          navmanager[.]website    portalcorpteam[.]com

navcpcenter[.]site            navercorpservice[.]com  navocorp[.]link   portalseccorps[.]site

navcrtr[.]online  navercorpt[.]online          navocorp[.]site   portalserver[.]online

navctrv[.]site      navercorpteam[.]com     navocorp[.]tech scientisttest[.]digital

navcvcorp[.]online           navercorpteam[.]online  navoercorp[.]host             seccenter[.]link

naveacorp[.]tech              navercorpu[.]online         navoercorp[.]link              seccenter[.]online

naveccorp[.]link navercorpv[.]online          navoercorp[.]site              seccorp[.]link

navecorp[[.]]host             navercorpw[[.]]online     navoocorp[[.]]link             secmanageteam[[.]]site

navecorp[[.]]online          navercorpx[[.]]online       navoocorp[[.]]online        secnavportal[[.]]digital

navecorp[[.]]site               navercorpy[[.]]online       navoocorp[[.]]site            secportal[[.]]digital

navecorp[[.]]website       navercorpz[[.]]online       navoorcorp[[.]]link           secportal[[.]]link

naveeccorp[[.]]tech         navercscorp[[.]]com        navoorcorp[[.]]online      secportalnav[[.]]site

naveecorp[[.]]link             naverdoc[[.]]site               navoorcorp[[.]]site           secportals[[.]]digital

naveecorp[[.]]online        naverhost[[.]]live              navorcop[[.]]site               secportalsnav[[.]]site

naveecorp[[.]]site            naverkr[[.]]online             navorcorp[[.]]link             securityccenter[[.]]site

naveecorp[[.]]tech           naverlogn[[.]]live              navorcorp[[.]]online         securitycenter[[.]]link

naveecorp[[.]]xyz             navermail[[.]]site             navorcorp[[.]]xyz              securitycenter[[.]]space

naveeecorp[[.]]site          navermailcorp[[.]]com    navorcorpteam[[.]]site    securitynavcenter[[.]]site

naveeocorp[[.]]xyz           navermailcorp[[.]]host    navovcorp[[.]]online        securitynavcenter[[.]]tech

naveeoocorp[[.]]link        navermailcorp[[.]]online navovcorp[[.]]site             securityvcenter[[.]]site

naveeorcorp[[.]]tech       navermailcorp[[.]]site     navovcorp[[.]]tech           sercureteam[[.]]site

naveeoteam[[.]]site         navermailmanage[[.]]com            navpcenter[[.]]online      setcenter[[.]]store

naveercorp[[.]]online      navermailservice[[.]]com              navpcenter[[.]]site           shtlink[[.]]online

Source: Prevailion

Previous articleFree Ransomware Decryption tool -No More Ransom
Next articleUNC2891 ATM Rootkit – Mandiant Advanced Practices Team Tracks Latest Indicators
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here