{"id":23564,"date":"2023-12-09T16:02:42","date_gmt":"2023-12-10T00:02:42","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/12\/09\/news-17294\/"},"modified":"2023-12-09T16:02:42","modified_gmt":"2023-12-10T00:02:42","slug":"news-17294","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/12\/09\/news-17294\/","title":{"rendered":"Star Blizzard increases sophistication and evasion in ongoing attacks"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Thu, 07 Dec 2023 12:01:00 +0000<\/strong><\/p>\n<p>Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as <a href=\"https:\/\/security.microsoft.com\/intel-profiles\/e24d62ce29705358542e259267c2f18da1725bf39f10828d53c53b8cb7f3113a?tid=0553df8d-f650-4a9b-b0b8-f97df0aedfce\">Star Blizzard<\/a> (formerly SEABORGIUM, also known as COLDRIVER and Callisto Group). Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard\u2019s evolving spear-phishing tactics.<\/p>\n<p>Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.<\/p>\n<p>This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/15\/disrupting-seaborgiums-ongoing-phishing-operations\/\">2022 blog<\/a> as the actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.<\/p>\n<div class=\"wp-block-msxcm-kicker-container align-right\">\n<div class=\" wp-block-msxcm-kicker wp-block-msxcm-kicker--align-right\" data-bi-an=\"Kicker Right\">\n<p class=\"wp-block-msxcm-kicker__title text-neutral-600 text-uppercase\"> \t\t\tPROTECT YOURSELF AGAINST STAR BLIZZARD\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"#FAQ\" \t\t\t> \t\t\t<span>Read FAQs<\/span>&nbsp;<span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\">New TTPs: Evasion techniques<\/h2>\n<div class=\"wp-block-msxcm-kicker-container align-right\">\n<div class=\" wp-block-msxcm-kicker wp-block-msxcm-kicker--align-right\" data-bi-an=\"Kicker Right\">\n<p class=\"wp-block-msxcm-kicker__title text-neutral-600 text-uppercase\"> \t\t\tINDICATORS OF COMPROMISE\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"#IOC\" \t\t\t> \t\t\t<span>Get IOCs<\/span>&nbsp;<span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>Based on our analysis of the actor\u2019s TTPs since our previous blog in 2022, Star Blizzard has evolved to focus on improving its detection evasion capabilities. Microsoft has identified five new Star Blizzard evasive techniques:<\/p>\n<ul>\n<li>Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure.<\/li>\n<li>Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages<\/li>\n<li>Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.<\/li>\n<li>Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted<\/li>\n<li>Shifting to a more randomized domain generation algorithm (DGA) for actor-registered domains<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Use of server-side scripts to prevent automated scanning<\/h3>\n<p>Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled \u201cCollect and Send User Data\u201d) before redirecting the browsing session to the Evilginx server.<\/p>\n<p>Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled \u201cDocs\u201d), which is still in use today.<\/p>\n<p>This capability collects various information from the browser performing the browsing session to the redirector server.<\/p>\n<p>The code contains three main functions:<\/p>\n<ul>\n<li><strong><em>pluginsEmpty()<\/em><\/strong>: This function checks if the browser has any plugins installed.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-1.webp\" alt=\"A screenshot of code for a function that checks if the browser has any plugins installed\" class=\"wp-image-132701 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-1.webp\"><\/figure>\n<ul>\n<li><strong><em>isAutomationTool()<\/em><\/strong>: This function checks for various indicators that the page is being accessed by an automation tool (such as Selenium, PhantomJS, or Nightmare) and returns an object with information about the detected tools.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-2.webp\" alt=\"A screenshot of code for a function that checks for various indicators that the page is being accessed by an automation tool and returns an object with information about the detected tools.\" class=\"wp-image-132702 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-2.webp\"><\/figure>\n<ul>\n<li><strong><em>sendToBackend(data)<\/em><\/strong>: This function sends the data collected by <em>isAutomationTool()<\/em> to the server using a POST request. If the server returns a response, the message in the response is executed using <em>eval()<\/em>.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-3.webp\" alt=\"A screenshot of code for a function that sends the data collected by isAutomationTool() to the server using a POST request.\" class=\"wp-image-132703 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/code-snippet-3.webp\"><\/figure>\n<p>Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection.<\/p>\n<p>When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.<\/p>\n<p>A bad verdict results in the receipt of an HTTP error response and no further redirection.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-1024x327.webp\" alt=\"Screenshot of code depicting the POST request and server response\" class=\"wp-image-132684 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-1024x327.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-300x96.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-768x245.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-1536x490.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1.webp 1997w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-1.-Content-of-POST-request-and-server-response-using-Collect-and-Send-User-Data-JavaScript-1-1024x327.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Content of POST request and server response using &ldquo;Collect and Send User Data&rdquo; JavaScript<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\">Use of email marketing platform services<\/h3>\n<p>We have observed Star Blizzard using two different services, HubSpot and MailerLite. The actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services can also provide the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the \u201cFrom\u201d address in their campaigns.<\/p>\n<p>Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the \u201cReply-to\u201d address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples are dedicated threat actor-controlled accounts.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers-1024x754.webp\" alt=\"Three screenshots of themed spear-phishing email headers for a US grants management portal\" class=\"wp-image-132685 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers-1024x754.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers-300x221.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers-768x565.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers.webp 1479w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-2.-Examples-of-themed-spear-phishing-email-headers-1024x754.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Examples of themed spear-phishing email headers<\/em><\/figcaption><\/figure>\n<p>Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-1024x464.webp\" alt=\"A call chain displaying how the initial redirection is performed within HubSpot for campaign tracking, followed by redirection to actor-controlled infrastructure (the redirector server), and lastly redirection to actor-controlled infrastructure (the Evilginx server)\" class=\"wp-image-132686 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-1024x464.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-300x136.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-768x348.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-1536x696.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-2048x928.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-3.-Example-of-victim-redirection-chain-using-initial-HubSpot-URL-1024x464.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Example of victim redirection chain using initial HubSpot URL<\/em><\/figcaption><\/figure>\n<p>Star Blizzard&#8217;s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.<\/p>\n<h3 class=\"wp-block-heading\">Use of a DNS provider to resolve actor-controlled domain infrastructure<\/h3>\n<p>In December 2022, we began to observe Star Blizzard first using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.<\/p>\n<p>We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.<\/p>\n<h3 class=\"wp-block-heading\">Password-protected PDF lures or links to cloud-based file-sharing platforms<\/h3>\n<p>Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.<\/p>\n<p>In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.<\/p>\n<p>Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-1024x414.webp\" alt=\"Screenshot of an example spear-phishing email with a password protecting link to Proton Drive\" class=\"wp-image-132687 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-1024x414.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-300x121.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-768x310.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-1536x621.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive.webp 1953w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-4.-Example-of-spear-phishing-email-with-password-protected-link-to-Proton-Drive-1024x414.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Example of spear-phishing email with password protected link to Proton Drive<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\">Randomizing DGA for actor registered domains<\/h3>\n<p>Following the detailed public reporting by <a href=\"https:\/\/www.recordedfuture.com\/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\">Recorded Future (August 2023)<\/a> on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.<\/p>\n<p>Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.<\/p>\n<p>Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:<\/p>\n<ul>\n<li>Namecheap remains the registrar of choice.<\/li>\n<li>Domains are usually registered in groups, many times with similar naming conventions.<\/li>\n<li>X.509 TLS certificates are provided by Let\u2019s Encrypt, created in the same timeframe of domain registration.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard-1024x710.webp\" alt=\"Examples of two X.509 TLS certificates used by the threat actor\" class=\"wp-image-132688 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard-1024x710.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard-300x208.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard-768x533.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard.webp 1100w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-5.-Examples-of-X.509-TLS-certificates-used-by-Star-Blizzard-1024x710.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Examples of X.509 TLS certificates used by Star Blizzard<\/em><\/figcaption><\/figure>\n<p>A list of recent domain names registered by Star Blizzard can be found at the end of this report.<\/p>\n<h2 class=\"wp-block-heading\">Consistent TTPs since 2022<\/h2>\n<p>Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and\/or personal email accounts.<\/p>\n<p>Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor\u2019s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a \u201cphishlet\u201d for the intended targets\u2019 email provider.<\/p>\n<p>Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.<\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-1024x322.webp\" alt=\"Dgram displaying the redirection chain from PDF spear-phishing lure, to the actor-controlled VPS hosting redirection server, to the actor-controlled VPS hosting Evilginx server.\" class=\"wp-image-132689 webp-format\" style=\"width:500px\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-1024x322.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-300x94.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-768x242.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-1536x483.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-2048x645.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-6.-Typical-Star-Blizzard-redirection-chain-to-Evilginx-infrastructure-1024x322.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Typical Star Blizzard redirection chain to Evilginx infrastructure<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"FAQ\">Protecting yourself against Star Blizzard<\/h2>\n<p>As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, <strong>individual email users should be aware of who these attacks target and what they look like <\/strong>to improve their ability to identify and avoid further attacks.<\/p>\n<p>The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:<\/p>\n<h3 class=\"wp-block-heading\">Am I at risk of being a Star Blizzard target?<\/h3>\n<p>Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:<\/p>\n<ol type=\"1\">\n<li>Government or diplomacy (both incumbent and former position holders).<\/li>\n<li>Research into defense policy or international relations when related to Russia.<\/li>\n<li>Assistance to Ukraine related to the ongoing conflict with Russia.<\/li>\n<\/ol>\n<p><strong><em>Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.<\/em><\/strong><\/p>\n<h3 class=\"wp-block-heading\">What will a Star Blizzard spear-phishing email look like?<\/h3>\n<p>The email will appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders (<em>@proton.me<\/em>, <em>@protonmail.com<\/em>) as they are frequently used by Star Blizzard.<\/p>\n<p>An initial email will usually be sent asking to review a document, but without any attachment or link to the document.<\/p>\n<p>The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or a link to a PDF file hosted on a cloud storage platform. The PDF file will be unreadable, with a prominent button purporting to enable reading the content.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x339.webp\" alt=\"Screenshot of four lures displaying blurred PDFs examples.\" class=\"wp-image-132690 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x339.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-300x99.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-768x254.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1536x509.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-2048x678.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-7.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x339.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 7. Examples of Star Blizzard PDF lures when opened<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\">What happens if I interact with a Star Blizzard PDF lure?<\/h3>\n<p>Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code\u2014this is the beginning of the redirection chain. Targets will likely see a web page titled \u201cDocs\u201d in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.<\/p>\n<p><strong>The host domain in the web address is an actor-controlled domain (see appendix for full list), and<em> not<\/em> the expected domain of the email server or cloud service.<\/strong><\/p>\n<p>If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.<\/p>\n<p><strong>As long as the authentication process is not completed (a valid password is not entered and\/or an authentication request is not approved), the threat actor <em>has not compromised the account<\/em>.<\/strong><\/p>\n<p>If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, <em>even if multifactor authentication is enabled.<\/em><\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x649.webp\" alt=\"Four screenshots of what the PDF lures look like when opened, such as a CAPTCHAs or sign-in pages.\" class=\"wp-image-132691 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x649.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-300x190.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-768x487.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1536x973.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-2048x1298.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/12\/Figure-8.-Examples-of-Star-Blizzard-PDF-lures-when-opened-1024x649.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 8. Examples of Star Blizzard PDF lures when opened<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Recommendations<\/h2>\n<p>As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.<\/p>\n<p>Microsoft emphasizes that the following two mitigations will strengthen customers\u2019 environments against Star Blizzard attack activity:<\/p>\n<ul>\n<li>Using phishing resistant <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/authentication\/concept-authentication-strengths\">authentication methods<\/a>.<\/li>\n<li>Lockdown account access using <a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/conditional-access\/overview\">Conditional Access policies<\/a><\/li>\n<\/ul>\n<p>Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/network-protection?view=o365-worldwide\">network protection turned on<\/a>, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.<\/p>\n<p>Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:<\/p>\n<ul>\n<li>Use advanced anti-phishing solutions&nbsp;that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that automatically&nbsp;<a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc\">identify and block malicious websites<\/a> and provide solutions that&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-office-365?ocid=magicti_ta_abbreviatedmktgpage\">detect and block malicious emails, links, and files<\/a>.<\/li>\n<li>Run <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/edr-in-block-mode\">endpoint detection and response (EDR) in block mode<\/a> so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.<\/li>\n<li>Configure&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/automated-investigations?ocid=magicti_ta_learndoc\" target=\"_blank\" rel=\"noreferrer noopener\">investigation and remediation<\/a>&nbsp;in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.<\/li>\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus\">cloud-delivered protection<\/a> and automatic sample submission on Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.<\/li>\n<li>Use&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/fundamentals\/concept-fundamentals-security-defaults?ocid=magicti_ta_learndoc\">security defaults<\/a>&nbsp;as a baseline set of policies to improve identity security posture. For more granular control,&nbsp;enable conditional access policies.&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/overview?ocid=magicti_ta_learndoc\">Conditional access<\/a>&nbsp;policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.<\/li>\n<li>Implement&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc\">continuous access evaluation<\/a>.<\/li>\n<li>Continuously monitor suspicious or anomalous activities. Investigate sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, and use of anonymizer services).<\/li>\n<li>Configure Microsoft Defender for Office 365 to&nbsp;<a href=\"https:\/\/docs.microsoft.com\/office365\/securitycompliance\/atp-safe-links\">recheck links on click<\/a>. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/office-365-security\/anti-spam-and-anti-malware-protection?view=o365-worldwide\">anti-spam and anti-malware protection<\/a>&nbsp;in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.<\/li>\n<li>Use the Attack Simulator in <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/office-365-security\/attack-simulation-training-simulations\">Microsoft Defender for Office 365<\/a> to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application\u2019s consent screen as well as spoofed app names, logos, and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.<\/li>\n<li>Encourage users to use Microsoft Edge and other web browsers that support <a href=\"https:\/\/learn.microsoft.com\/windows\/security\/threat-protection\/microsoft-defender-smartscreen\/microsoft-defender-smartscreen-overview\">Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.<\/li>\n<li>Microsoft Defender customers can turn on <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction?ocid=magicti_ta_learndoc\">attack surface reduction rules<\/a> to prevent common attack techniques:\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\">Block executable files<\/a> from running unless they meet a prevalence, age, or trusted list criterion.<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules?ocid=magicti_ta_learndoc#block-execution-of-potentially-obfuscated-scripts\">Block execution<\/a> of potentially obfuscated scripts.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Appendix<\/h2>\n<h3 class=\"wp-block-heading\">Microsoft Defender XDR detections<\/h3>\n<p><strong>Microsoft Defender for Office 365<\/strong><\/p>\n<p>Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected.&nbsp;These alerts, however, can be triggered by unrelated threat activity. Example alerts:<\/p>\n<ul>\n<li>A potentially malicious URL click was detected<\/li>\n<li>Email messages containing malicious URL removed after delivery<\/li>\n<li>Email messages removed after delivery<\/li>\n<li>Email reported by user as malware or phish<\/li>\n<\/ul>\n<p><strong>Microsoft Defender SmartScreen<\/strong><\/p>\n<p>Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/network-protection\">Network protection<\/a>, organizations can block attempts to connect to these malicious domains.<\/p>\n<p><strong>Microsoft Defender for Endpoint<\/strong><\/p>\n<p>Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:<\/p>\n<ul>\n<li>Star Blizzard activity group<\/li>\n<li>Suspicious URL clicked<\/li>\n<li>Suspicious URL opened in web browser<\/li>\n<li>User accessed link in ZAP-quarantined email<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Threat intelligence reports<\/h3>\n<p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.<\/p>\n<p><strong>Microsoft Defender Threat Intelligence<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/intel-profiles\/e24d62ce29705358542e259267c2f18da1725bf39f10828d53c53b8cb7f3113a\/description\">Star Blizzard<\/a><\/li>\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/articles\/9d07bb8f\">Disrupting Star Blizzard\u2019s ongoing phishing operations<\/a><\/li>\n<\/ul>\n<p><strong>Microsoft 365 Defender Threat analytics&nbsp;<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/security.microsoft.com\/threatanalytics3\/ac6b7cc9-52df-4226-9d6f-d19561f0227a\/analystreport?search=star%2520blizzard&amp;tid=0553df8d-f650-4a9b-b0b8-f97df0aedfce\">Threat Insights: Disrupting Star Blizzard\u2019s ongoing phishing operations<\/a><\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Hunting queries&nbsp;&nbsp;<\/h3>\n<p><strong>Microsoft Sentinel&nbsp;<\/strong><\/p>\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.&nbsp;&nbsp;<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/85bb0038bcb9de50ad54865a83d0d797c86c337a\/Hunting%20Queries\/Microsoft%20365%20Defender\/Delivery\/Open%20email%20link.yaml#L8\" target=\"_blank\" rel=\"noreferrer noopener\">Open Email Link<\/a>&nbsp;<\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/85bb0038bcb9de50ad54865a83d0d797c86c337a\/Hunting%20Queries\/Microsoft%20365%20Defender\/Initial%20access\/SuspiciousUrlClicked.yaml#L5\" target=\"_blank\" rel=\"noreferrer noopener\">Suspicious Url Clicked<\/a>&nbsp;<\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/fec47e19e06f8a62975b2ae43d1679a6409b1b89\/Hunting%20Queries\/Microsoft%20365%20Defender\/Delivery\/Doc%20attachment%20with%20link%20to%20download.yaml#L6\" target=\"_blank\" rel=\"noreferrer noopener\">Doc attachment with link to download<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/fec47e19e06f8a62975b2ae43d1679a6409b1b89\/Solutions\/Microsoft%20Defender%20XDR\/Analytic%20Rules\/PossiblePhishingwithCSL%26NetworkSession.yaml#L4\" target=\"_blank\" rel=\"noreferrer noopener\">Possible Phishing with CSL &amp; NetworkSession<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Windows%20Server%20DNS\/Analytic%20Rules\/DNS_HighNXDomainCount_detection.yaml\" target=\"_blank\" rel=\"noreferrer noopener\">Potential DGA detected<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/85bb0038bcb9de50ad54865a83d0d797c86c337a\/Detections\/ASimWebSession\/PossibleDGAContacts.yaml#L2\" target=\"_blank\" rel=\"noreferrer noopener\">Possible DGA Contacts<\/a>&nbsp;<\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/85bb0038bcb9de50ad54865a83d0d797c86c337a\/Solutions\/DNS%20Essentials\/Analytic%20Rules\/PotentialDGADetectedviaRepetitiveFailuresAnomalyBased.yaml#L2\" target=\"_blank\" rel=\"noreferrer noopener\">Potential DGA Detected via Repetitive Failures AnomalyBased<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/85bb0038bcb9de50ad54865a83d0d797c86c337a\/Detections\/CommonSecurityLog\/MultiVendor-PossibleDGAContacts.yaml#L2\" target=\"_blank\" rel=\"noreferrer noopener\">MultiVendor-Possible DGA Contacts<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/fec47e19e06f8a62975b2ae43d1679a6409b1b89\/Solutions\/Business%20Email%20Compromise%20-%20Financial%20Fraud\/Hunting%20Queries\/SuccessfulSigninFromNon-CompliantDevice.yaml#L2\" target=\"_blank\" rel=\"noreferrer noopener\">Successful Signin From Non-CompliantDevice<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/fec47e19e06f8a62975b2ae43d1679a6409b1b89\/Detections\/MultipleDataSources\/RiskyUserIn3Pnetworkactivity.yaml#L33\" target=\"_blank\" rel=\"noreferrer noopener\">Risky User In 3P network activity<\/a><\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"IOC\">Indicators of compromise<\/h3>\n<p><strong>Star Blizzard domain infrastructure<\/strong><\/p>\n<figure class=\"wp-block-table table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Domain<\/strong><\/td>\n<td><strong>Registered<\/strong><\/td>\n<td><strong>Registrar<\/strong><\/td>\n<td><strong>X.509 TLS Certificate Issuer<\/strong><\/td>\n<td><strong>DNS provider resolving<\/strong><\/td>\n<\/tr>\n<tr>\n<td>centralitdef[.]com<\/td>\n<td>2023\/04\/03 14:29:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>rootgatewayshome[.]com<\/td>\n<td>2023\/04\/06 16:09:06<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>directstoragepro[.]com<\/td>\n<td>2023\/04\/07 14:18:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infocryptoweb[.]com<\/td>\n<td>2023\/04\/07 14:44:38<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cloudwebstorage[.]com<\/td>\n<td>2023\/04\/09 14:13:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cryptdatahub[.]com<\/td>\n<td>2023\/04\/10 10:07:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>datainfosecure[.]com<\/td>\n<td>2023\/04\/10 10:16:20<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>servershieldme[.]com<\/td>\n<td>2023\/04\/11 07:32:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>scandefinform[.]com<\/td>\n<td>2023\/04\/12 10:18:26<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>guardittech[.]com<\/td>\n<td>2023\/04\/12 13:36:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storageinfohub[.]com<\/td>\n<td>2023\/04\/14 12:23:02<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docsinfohub[.]com<\/td>\n<td>2023\/04\/14 16:24:45<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>dbasechecker[.]com<\/td>\n<td>2023\/04\/20 08:31:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>dbasecheck[.]com<\/td>\n<td>2023\/04\/20 08:31:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gaterecord[.]com<\/td>\n<td>2023\/04\/25 14:17:14<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>directsgate[.]com<\/td>\n<td>2023\/04\/25 14:17:14<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storageinformationsolutions[.]com<\/td>\n<td>2023\/04\/25 15:33:03<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storagedatadirect[.]com<\/td>\n<td>2023\/04\/25 15:33:05<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>informationdoorwaycertificate[.]com<\/td>\n<td>2023\/04\/25 17:50:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>datagatewaydoc[.]com<\/td>\n<td>2023\/04\/25 17:50:37<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>panelittechweb[.]com<\/td>\n<td>2023\/04\/27 12:19:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>panelitsolution[.]com<\/td>\n<td>2023\/04\/27 12:19:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keeperdocument[.]com<\/td>\n<td>2023\/04\/27 14:18:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keeperdocumentgatewayhub[.]com<\/td>\n<td>2023\/04\/27 14:18:25<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>docview[.]cloud<\/td>\n<td>2023\/05\/03 06:33:44<\/td>\n<td>Hostinger UAB<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>protectitbase[.]com<\/td>\n<td>2023\/05\/03 09:07:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webcatalogpro[.]com<\/td>\n<td>2023\/05\/04 09:47:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infoformdata[.]com<\/td>\n<td>2023\/05\/04 13:13:56<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keydatastorageunit[.]com<\/td>\n<td>2023\/05\/10 09:20:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docanalizergate[.]com<\/td>\n<td>2023\/05\/10 15:23:14<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>docanalizerhub[.]com<\/td>\n<td>2023\/05\/10 15:23:21<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>hubdatapage[.]com<\/td>\n<td>2023\/05\/10 16:07:31<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>skyinformdata[.]com<\/td>\n<td>2023\/05\/11 11:10:35<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docsaccessdata[.]com<\/td>\n<td>2023\/05\/11 12:35:02<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>datacryptosafe[.]com<\/td>\n<td>2023\/05\/11 16:46:00<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cloudsetupprofi[.]com<\/td>\n<td>2023\/05\/12 15:35:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>setupprofi[.]com<\/td>\n<td>2023\/05\/12 15:35:52<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>analyzedatainfo[.]com<\/td>\n<td>2023\/05\/15 15:30:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infocryptodata[.]com<\/td>\n<td>2023\/05\/15 16:41:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>datadocsview[.]com<\/td>\n<td>2023\/05\/16 13:23:38<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gatedocsview[.]com<\/td>\n<td>2023\/05\/16 13:23:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>hubinfodocs[.]com<\/td>\n<td>2023\/05\/16 13:27:07<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>proffsolution[.]com<\/td>\n<td>2023\/05\/16 14:20:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>proffitsolution[.]com<\/td>\n<td>2023\/05\/16 14:20:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>defproresults[.]com<\/td>\n<td>2023\/05\/16 14:20:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>greatnotifyinfo[.]com<\/td>\n<td>2023\/05\/16 14:55:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>topnotifydata[.]com<\/td>\n<td>2023\/05\/16 14:55:53<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>topinformdata[.]com<\/td>\n<td>2023\/05\/16 14:55:58<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>defoffresult[.]com<\/td>\n<td>2023\/05\/16 15:23:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cloudinfodata[.]com<\/td>\n<td>2023\/05\/16 15:23:52<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webpartdata[.]com<\/td>\n<td>2023\/05\/16 15:23:57<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infostoragegate[.]com<\/td>\n<td>2023\/05\/17 14:41:37<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>wardenstoragedoorway[.]com<\/td>\n<td>2023\/05\/17 15:17:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>myposcheck[.]com<\/td>\n<td>2023\/05\/25 08:52:50<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>poscheckdatacenter[.]com<\/td>\n<td>2023\/05\/25 08:52:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>checkdatapos[.]com<\/td>\n<td>2023\/05\/25 08:52:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docdatares[.]com<\/td>\n<td>2023\/05\/26 13:42:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>datawebhub[.]com<\/td>\n<td>2023\/05\/26 16:28:34<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cloudithub[.]com<\/td>\n<td>2023\/05\/26 16:28:35<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>secitweb[.]com<\/td>\n<td>2023\/05\/26 16:28:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentitsolution[.]com<\/td>\n<td>2023\/05\/29 13:21:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keeperinformation[.]com<\/td>\n<td>2023\/05\/29 13:21:48<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webprodata[.]com<\/td>\n<td>2023\/05\/29 14:28:00<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>clouditprofi[.]com<\/td>\n<td>2023\/05\/29 14:28:01<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cryptoinfostorage[.]com<\/td>\n<td>2023\/05\/29 14:34:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>rootinformationgateway[.]com<\/td>\n<td>2023\/05\/29 14:34:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gatewaydocumentdata[.]com<\/td>\n<td>2023\/06\/01 14:49:07<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gatewayitservices[.]com<\/td>\n<td>2023\/06\/01 14:49:17<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infoviewerdata[.]com<\/td>\n<td>2023\/06\/01 14:59:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infoviewergate[.]com<\/td>\n<td>2023\/06\/01 14:59:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webitresourse[.]com<\/td>\n<td>2023\/06\/02 19:35:46<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>homedocsdata[.]com<\/td>\n<td>2023\/06\/05 16:05:54<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>homedocsview[.]com<\/td>\n<td>2023\/06\/05 16:06:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webdataproceed[.]com<\/td>\n<td>2023\/06\/08 17:29:54<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>directkeeperstorage[.]com<\/td>\n<td>2023\/06\/12 15:47:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gatewaykeeperinformation[.]com<\/td>\n<td>2023\/06\/12 15:48:01<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>rootgatestorage[.]com<\/td>\n<td>2023\/06\/12 16:46:02<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentinformationsolution[.]com<\/td>\n<td>2023\/06\/12 16:46:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>getclouddoc[.]com<\/td>\n<td>2023\/06\/14 10:56:38<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>statusfiles[.]com<\/td>\n<td>2023\/06\/16 09:49:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webstaticdata[.]com<\/td>\n<td>2023\/06\/16 09:49:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cloudwebfile[.]com<\/td>\n<td>2023\/06\/16 09:49:59<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>statuswebcert[.]com<\/td>\n<td>2023\/06\/16 10:29:57<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>nextgenexp[.]com<\/td>\n<td>2023\/06\/16 10:29:57<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>informationkeeper[.]com<\/td>\n<td>2023\/06\/16 14:48:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentgatekeeper[.]com<\/td>\n<td>2023\/06\/16 14:48:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cryptogatesolution[.]com<\/td>\n<td>2023\/06\/16 15:32:31<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>rootgatewaystorage[.]com<\/td>\n<td>2023\/06\/16 15:32:34<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infoviewstorage[.]com<\/td>\n<td>2023\/06\/22 12:34:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infoconnectstorage[.]com<\/td>\n<td>2023\/06\/22 12:34:18<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infolookstorage[.]com<\/td>\n<td>2023\/06\/22 13:53:04<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>judicialliquidators[.]com<\/td>\n<td>2023\/06\/25 11:28:05<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>safetyagencyservice[.]com<\/td>\n<td>2023\/06\/25 11:28:08<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>dynamiclnk[.]com<\/td>\n<td>2023\/06\/27 13:20:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>temphoster[.]com<\/td>\n<td>2023\/06\/27 13:20:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documententranceintelligence[.]com<\/td>\n<td>2023\/06\/27 17:13:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentgateprotector[.]com<\/td>\n<td>2023\/06\/27 17:13:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>readinfodata[.]com<\/td>\n<td>2023\/06\/28 16:09:46<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>readdatainform[.]com<\/td>\n<td>2023\/06\/28 16:09:50<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webcryptoinfo[.]com<\/td>\n<td>2023\/06\/29 12:41:50<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storageinfodata[.]com<\/td>\n<td>2023\/06\/29 12:41:50<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keeperdatastorage[.]com<\/td>\n<td>2023\/07\/03 17:40:16<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keepinformationroot[.]com<\/td>\n<td>2023\/07\/03 17:40:21<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>keyservicebar[.]com<\/td>\n<td>2023\/07\/05 13:25:41<\/td>\n<td>PDR Ltd.<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>bitespacedev[.]com<\/td>\n<td>2023\/07\/05 13:25:43<\/td>\n<td>PDR Ltd.<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cryptodocumentinformation[.]com<\/td>\n<td>2023\/07\/05 15:04:46<\/td>\n<td>PDR Ltd.<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>directdocumentinfo[.]com<\/td>\n<td>2023\/07\/05 15:04:48<\/td>\n<td>PDR Ltd.<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>techpenopen[.]com<\/td>\n<td>2023\/07\/05 15:49:13<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>loginformationbreakthrough[.]com<\/td>\n<td>2023\/07\/06 16:01:36<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>alldocssolution[.]com<\/td>\n<td>2023\/07\/06 16:01:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentkeepersolutionsystems[.]com<\/td>\n<td>2023\/07\/06 18:45:01<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docholdersolution[.]com<\/td>\n<td>2023\/07\/06 18:45:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infodocitsolution[.]com<\/td>\n<td>2023\/07\/07 11:00:59<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>securebrowssolution[.]com<\/td>\n<td>2023\/07\/07 11:00:59<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>secbrowsingate[.]com<\/td>\n<td>2023\/07\/07 11:18:09<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>secbrowsingsystems[.]com<\/td>\n<td>2023\/07\/07 11:18:14<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docguardmaterial[.]com<\/td>\n<td>2023\/07\/10 11:38:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>dockeeperweb[.]com<\/td>\n<td>2023\/07\/10 11:38:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docsecgate[.]com<\/td>\n<td>2023\/07\/11 13:27:59<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>documentsecsolution[.]com<\/td>\n<td>2023\/07\/11 13:28:01<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>cryptogatehomes[.]com<\/td>\n<td>2023\/07\/11 17:51:38<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>topcryptoprotect[.]com<\/td>\n<td>2023\/07\/12 13:03:36<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>safedocumentgatesolution[.]com<\/td>\n<td>2023\/07\/12 13:17:15<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>safedocitsolution[.]com<\/td>\n<td>2023\/07\/12 13:17:23<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docscontentview[.]com<\/td>\n<td>2023\/07\/12 15:05:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>docscontentgate[.]com<\/td>\n<td>2023\/07\/12 15:05:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>openprojectgate[.]com<\/td>\n<td>2023\/07\/12 15:30:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>infowardendoc[.]com<\/td>\n<td>2023\/07\/12 15:30:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>wardensecbreakthrough[.]com<\/td>\n<td>2023\/07\/12 15:41:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>lawsystemjudgement[.]com<\/td>\n<td>2023\/07\/12 15:41:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>explorewebdata[.]com<\/td>\n<td>2023\/07\/13 08:12:07<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>doorwayseclaw[.]com<\/td>\n<td>2023\/07\/13 13:22:18<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>entryloginpoint[.]com<\/td>\n<td>2023\/07\/13 13:22:22<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>wardenlawsec[.]com<\/td>\n<td>2023\/07\/13 14:12:32<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>entrygatebreak[.]com<\/td>\n<td>2023\/07\/13 14:12:32<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>digitalworkdata[.]com<\/td>\n<td>2023\/07\/13 15:00:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>digitalhubdata[.]com<\/td>\n<td>2023\/07\/13 15:00:45<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>craftfilelink[.]com<\/td>\n<td>2023\/07\/13 15:31:00<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>createtempdoc[.]com<\/td>\n<td>2023\/07\/13 15:31:00<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>provideexplorer[.]com<\/td>\n<td>2023\/07\/13 16:25:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>reviewopenfile[.]com<\/td>\n<td>2023\/07\/13 16:25:34<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>govsafebreakthrough[.]com<\/td>\n<td>2023\/07\/13 16:26:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>govlawentrance[.]com<\/td>\n<td>2023\/07\/13 16:26:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storagekeepdirect[.]com<\/td>\n<td>2023\/07\/13 17:36:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storageguarddirect[.]com<\/td>\n<td>2023\/07\/13 17:36:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>storagekeeperexpress[.]com<\/td>\n<td>2023\/07\/14 13:27:26<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>onestorageprotectordirect[.]com<\/td>\n<td>2023\/07\/14 13:27:27<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>lawwardensafety[.]com<\/td>\n<td>2023\/07\/14 13:41:52<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>entrancequick[.]com<\/td>\n<td>2023\/07\/14 13:41:53<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>seclawdoorway[.]com<\/td>\n<td>2023\/07\/14 15:28:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>wardengovermentlaw[.]com<\/td>\n<td>2023\/07\/14 15:28:43<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>getvaluepast[.]com<\/td>\n<td>2023\/07\/14 16:14:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>transferlinkdata[.]com<\/td>\n<td>2023\/07\/14 16:14:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>remcemson[.]com<\/td>\n<td>2023\/07\/26 11:25:48<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>osixmals[.]com<\/td>\n<td>2023\/07\/26 11:25:56<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>entranceto[.]com<\/td>\n<td>2023\/07\/28 12:26:15<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>govermentsecintro[.]com<\/td>\n<td>2023\/07\/28 12:26:17<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>itbugreportbeta[.]com<\/td>\n<td>2023\/07\/28 13:06:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>theitbugreportbeta[.]com<\/td>\n<td>2023\/07\/28 13:06:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>sockintrodoorway[.]com<\/td>\n<td>2023\/07\/28 13:21:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>maxintrosec[.]com<\/td>\n<td>2023\/07\/28 13:21:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>doorgovcommunity[.]com<\/td>\n<td>2023\/07\/28 15:11:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>tarentrycommunity[.]com<\/td>\n<td>2023\/07\/28 15:11:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>webfigmadesignershop[.]com<\/td>\n<td>2023\/07\/28 16:09:07<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>webfigmadesigner[.]com<\/td>\n<td>2023\/07\/28 16:09:11<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>logincontrolway[.]com<\/td>\n<td>2023\/07\/28 16:35:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>vertransmitcontrol[.]com<\/td>\n<td>2023\/07\/28 16:35:44<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>everyinit[.]com<\/td>\n<td>2023\/08\/09 13:56:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>aliceplants[.]com<\/td>\n<td>2023\/08\/09 17:22:26<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>countingtall[.]com<\/td>\n<td>2023\/08\/09 17:22:30<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>silenceprotocol[.]com<\/td>\n<td>2023\/08\/10 12:32:10<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>mintwithapples[.]com<\/td>\n<td>2023\/08\/10 12:32:15<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>winterholds[.]com<\/td>\n<td>2023\/08\/10 12:53:29<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>ziplinetransfer[.]com<\/td>\n<td>2023\/08\/10 16:47:53<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>translatesplit[.]com<\/td>\n<td>2023\/08\/10 16:47:53<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>getfigmacreator[.]com<\/td>\n<td>2023\/08\/11 13:13:20<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>postrequestin[.]com<\/td>\n<td>2023\/08\/11 13:13:23<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>tarifjane[.]com<\/td>\n<td>2023\/08\/17 14:05:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>configlayers[.]com<\/td>\n<td>2023\/08\/17 14:05:48<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>winterhascometo[.]com<\/td>\n<td>2023\/08\/17 16:21:43<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>inyourheadexp[.]com<\/td>\n<td>2023\/08\/17 16:21:43<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>glorybuses[.]com<\/td>\n<td>2023\/08\/18 15:27:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>janeairintroduction[.]com<\/td>\n<td>2023\/08\/18 15:27:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>vikingonairplane[.]com<\/td>\n<td>2023\/08\/18 16:19:48<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>marungame[.]com<\/td>\n<td>2023\/08\/18 16:19:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>victorinwounder[.]com<\/td>\n<td>2023\/08\/21 16:14:48<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>paneindestination[.]com<\/td>\n<td>2023\/08\/21 16:15:02<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>trastamarafamily[.]com<\/td>\n<td>2023\/08\/22 11:20:22<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>territoryedit[.]com<\/td>\n<td>2023\/08\/22 11:20:24<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>vectorto[.]com<\/td>\n<td>2023\/08\/24 09:40:49<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>johnysadventure[.]com<\/td>\n<td>2023\/08\/24 09:40:54<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>paternenabler[.]com<\/td>\n<td>2023\/08\/25 14:40:31<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>fastnamegenerator[.]com<\/td>\n<td>2023\/08\/25 14:40:35<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>literallyandme[.]com<\/td>\n<td>2023\/08\/28 13:21:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>andysalesproject[.]com<\/td>\n<td>2023\/08\/28 13:21:34<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>pandawithrainbow[.]com<\/td>\n<td>2023\/08\/28 17:08:58<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>natalyincity[.]com<\/td>\n<td>2023\/08\/29 15:25:02<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>machinerelise[.]com<\/td>\n<td>2023\/09\/01 16:29:09<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>industrialcorptruncate[.]com<\/td>\n<td>2023\/09\/01 16:30:07<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>constructionholdingnewlife[.]com<\/td>\n<td>2023\/09\/07 14:00:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>adventuresrebornpanda[.]com<\/td>\n<td>2023\/09\/07 14:00:55<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>cryingpand[.]com<\/td>\n<td>2023\/09\/13 13:10:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>industrialwatership[.]com<\/td>\n<td>2023\/09\/13 13:10:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>olohaisland[.]com<\/td>\n<td>2023\/09\/13 14:25:35<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>voodoomagician[.]com<\/td>\n<td>2023\/09\/13 14:25:36<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>newestchairs[.]com<\/td>\n<td>2023\/09\/14 11:24:47<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>cpuisocutter[.]com<\/td>\n<td>2023\/09\/14 12:37:53<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>incorpcpu[.]com<\/td>\n<td>2023\/09\/14 12:37:57<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>gulperfish[.]com<\/td>\n<td>2023\/09\/14 14:00:25<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>leviathanfish[.]com<\/td>\n<td>2023\/09\/14 14:00:25<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>truncationcorp[.]com<\/td>\n<td>2023\/09\/14 14:05:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>gzipinteraction[.]com<\/td>\n<td>2023\/09\/14 14:05:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>ghostshowing[.]com<\/td>\n<td>2023\/09\/14 16:10:42<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>hallowenwitch[.]com<\/td>\n<td>2023\/09\/14 16:10:43<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>certificatentrance[.]com<\/td>\n<td>2023\/09\/19 08:18:39<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>apiwebdata[.]com<\/td>\n<td>2023\/10\/02 14:59:14<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>apidatahook[.]com<\/td>\n<td>2023\/10\/04 15:45:19<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>apireflection[.]com<\/td>\n<td>2023\/10\/04 15:45:25<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>protectionoffice[.]tech<\/td>\n<td>2023\/10\/05 11:33:46<\/td>\n<td>Hostinger UAB<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>lazyprotype[.]com<\/td>\n<td>2023\/10\/11 11:52:18<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>angelicfish[.]com<\/td>\n<td>2023\/10\/13 17:57:29<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>globalyfish[.]com<\/td>\n<td>2023\/10\/13 17:57:31<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>medicprognosis[.]com<\/td>\n<td>2023\/10\/16 14:36:32<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>medicoutpatient[.]com<\/td>\n<td>2023\/10\/16 14:36:41<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>krakfish[.]com<\/td>\n<td>2023\/10\/17 17:09:29<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>stingrayfish[.]com<\/td>\n<td>2023\/10\/17 17:09:31<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>incorpreview[.]com<\/td>\n<td>2023\/10\/17 18:27:09<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>truncatetrim[.]com<\/td>\n<td>2023\/10\/17 18:27:11<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>corporatesinvitation[.]com<\/td>\n<td>2023\/10\/18 14:48:54<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>triminget[.]com<\/td>\n<td>2023\/10\/18 17:31:40<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>firewitches[.]com<\/td>\n<td>2023\/10\/19 10:40:51<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>solartemplar[.]com<\/td>\n<td>2023\/10\/19 10:40:52<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>encryptionrenewal[.]com<\/td>\n<td>2023\/10\/20 13:36:24<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>sslkeycert[.]com<\/td>\n<td>2023\/10\/20 13:36:24<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>barbarictruths[.]com<\/td>\n<td>2023\/10\/23 07:37:30<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>castlefranks[.]com<\/td>\n<td>2023\/10\/23 07:37:33<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>comintroduction[.]com<\/td>\n<td>2023\/10\/24 14:01:11<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td>corpviewer[.]com<\/td>\n<td>2023\/10\/31 13:10:38<\/td>\n<td>NameCheap, Inc<\/td>\n<td>C=US, O=Let&#8217;s Encrypt, CN=R3<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Star Blizzard HubSpot campaign domains:<\/strong><\/p>\n<ul>\n<li>djs53104[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djr6t104[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djrzf704[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djskzh04[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djslws04[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djs36c04[.]eu1[.]hubspotlinksfree[.]com \u2013 used in August 2023<\/li>\n<li>djt47x04[.]eu1[.]hubspotlinksfree[.]com \u2013 used in September 2023<\/li>\n<li>djvcl404[.]eu1[.]hubspotlinksfree[.]com \u2013 used in October 2023<\/li>\n<li>d5b74r04[.]na1[.]hubspotlinksfree[.]com \u2013 used in October 2023<\/li>\n<li>djvxqp04[.]eu1[.]hubspotlinksfree[.]com \u2013 used in October 2023<\/li>\n<\/ul>\n<p><strong>Star Blizzard MailerLite campaign domain:<\/strong><\/p>\n<ul>\n<li>ydjjja[.]clicks[.]mlsend[.]com \u2013 used in September 2023<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">References<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.ncsc.gov.uk\/news\/spear-phishing-campaigns-targets-of-interest\">https:\/\/www.ncsc.gov.uk\/news\/spear-phishing-campaigns-targets-of-interest<\/a><\/li>\n<li><a href=\"https:\/\/www.recordedfuture.com\/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023 \">https:\/\/www.recordedfuture.com\/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023 <\/a><\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">Further reading<\/h3>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at <a href=\"https:\/\/twitter.com\/MsftSecIntel\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/12\/07\/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks\/\">Star Blizzard increases sophistication and evasion in ongoing attacks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/12\/07\/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Thu, 07 Dec 2023 12:01:00 +0000<\/strong><\/p>\n<p>Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against targets.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/12\/07\/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks\/\">Star Blizzard increases sophistication and evasion in ongoing attacks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[3321,21863,30591,30382],"class_list":["post-23564","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-blizzard","tag-credential-theft","tag-star-blizzard-seaborgium","tag-state-sponsored-threat-actor"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23564"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23564\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}