Skip to main content
Microsoft Security
Photo of business woman and man in separate glass elevators.
28 min read

Star Blizzard increases sophistication and evasion in ongoing attacks

October 2024 update – Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by Star Blizzard. We have updated this blog with the latest observed Star Blizzard tactics, techniques, and procedures (TTPs).

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian nation-state actor we call Star Blizzard. Star Blizzard has continuously improved their detection evasion capabilities while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.

Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.

This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the threat actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Star Blizzard TTPs observed in 2024

Star Blizzard persistently introduces new techniques to avoid detection. These TTPs are employed for brief periods and are either modified or abandoned once they become publicly known.

Microsoft has identified the following evasive techniques used by Star Blizzard in campaigns in 2024:

Using multiple registrars to register domain infrastructure

In December 2023, we highlighted that Star Blizzard was using the registrar NameCheap to register their domain infrastructure. As CitizenLab reported (August 2024), the threat actor has also used Hostinger to register domains used in the infrastructure for email credential theft.

Microsoft can confirm that in 2024 Star Blizzard transitioned from their long-standing practice of primarily using a single domain name registrar. Among the registrars seen used by Star Blizzard in 2024 are the following:

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Since August 2024, Star Blizzard has made substantial changes in the methods they employ to redirect targets to their virtual private server (VPS) infrastructure, on which Evilginx is installed and then used to facilitate credential theft.

In December 2023, we detailed the threat actor’s use of email marketing platforms to prevent the need to embed the actor-registered domains in their spear-phishing emails. This technique was abandoned in early 2024, with the threat actor transitioning first to hosting the initial redirector website on shared infrastructure. Since August 2024, Star Blizzard has added multiple layers of redirection to their VPS infrastructure, utilizing various link-shortening services and legitimate websites that can be used as open redirectors.

For example, in a recent spear-phishing email that was sent from an actor-controlled Outlook account, we found that the threat actor had embedded an initial link, which was created using the Microsoft 365 Safe Links into the attached PDF lure. The Safe Links URL could only be generated by sending an email between actor-controlled accounts with the link in the body. The actor then copied that generated Safe Links URL to use in their attack.   

text
Figure 1. Initial link in a spear-phishing campaign by Star Blizzard embedded in a PDF file

This link redirected to a shortened URL created using the Bitly link-shortening service, which resolved to another shortened URL created using the Cuttly link-shortening service. The second shortened URL redirected to a legitimate website, used as an open redirector, which ultimately redirected to the first actor-controlled domain.

The website mechengsys[.]net was hosted on shared infrastructure at Hostinger and performed various filtering actions until ultimately redirecting to an actor-controlled VPS installed with Evilginx, resolving the domain vidmemax[.]com.

diagram
Figure 2. Chain of redirection from initial link to the Star Blizzard-controlled domain

Use of altered legitimate email templates as spear-phishing lures

For a brief period between July and August 2024, the threat actor utilized spear-phishing lures that did not contain or redirect to PDF lures embedded with links that redirected to actor-controlled infrastructure. Instead, Star Blizzard sent targets an altered OneDrive file share notification that included a clickable link to a malicious URL. When clicked, the link would initiate redirection to actor-controlled infrastructure. We observed Star Blizzard using this approach in spear-phishing attacks against its traditional espionage targets, including individuals associated with politics and diplomacy, NGOs, and think tanks.

diagram
Figure 3. The attack chain used in Star Blizzard’s 2024 spear-phishing lure campaign

In this approach, the threat actor began by creating a new email account, usually a Proton account, intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The actor then stored a benign PDF or Word file in a cloud file-hosting service (for example, when targeting Microsoft customers, OneDrive) and shared the file with the newly created email account. The threat actor edited the HTML of the email, changing the displayed sender name and the URL behind the “Open” button that would otherwise lead back to the OneDrive-hosted file so that it directed to the Evilginx redirector domain instead.  

Star Blizzard then sent the spear-phishing email to the target. When the “Open” button was clicked, it directed the user to the redirector domain, which, after performing filtering based on browser fingerprinting and additional methods, directed the target to an actor-controlled Virtual Private Server (VPS) with the Evilginx installation. The Evilginx server allowed Star Blizzard to perform an adversary-in-the-middle (AiTM) attack on an authentication session to an email provider, enabling the actor to receive the necessary information to perform subsequent sign-ins to the target’s email account, including the username, password, and MFA token, if MFA is used by the target.

graphical user interface, text, application
Figure 4. Star Blizzard spear-phishing lure

TTPs used in past Star Blizzard campaigns

Microsoft observed Star Blizzard using the following TTPs in campaigns before 2024, highlighting continuously evolving techniques used by the threat actor to evade detection:

Use of server-side scripts to prevent automated scanning

Between April 2023 and December 2023, we observed Star Blizzard gradually moving away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, first executing JavaScript code (titled “Collect and Send User Data”) before redirecting the browsing session to the Evilginx server.

Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled “Docs”), which is still in use today.

This capability collects various information from the browser performing the browsing session to the redirector server. The code contains three main functions:

A screenshot of code for a function that checks if the browser has any plugins installed
A screenshot of code for a function that checks for various indicators that the page is being accessed by an automation tool and returns an object with information about the detected tools.
A screenshot of code for a function that sends the data collected by isAutomationTool() to the server using a POST request.

Following the POST request, the redirector server assessed the data collected from the browser and decided whether to allow continued browser redirection.

When a good verdict is reached, the browser received a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.

A bad verdict resulted in the receipt of an HTTP error response and no further redirection.

Screenshot of code depicting the POST request and server response
Figure 5. Content of POST request and server response using “Collect and Send User Data” JavaScript

Use of email marketing platform services

We previously observed Star Blizzard using two different services, HubSpot and MailerLite. The actor used these services to create an email campaign, which provided them with a dedicated subdomain on the service that is then used to create URLs. These URLs acted as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services also provided the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the “From” address in their campaigns.

Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples were dedicated threat actor-controlled accounts.

Three screenshots of themed spear-phishing email headers for a US grants management portal
Figure 6. Examples of themed spear-phishing email headers

Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).

Figure 7. Example of victim redirection chain using initial HubSpot URL

Star Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.

Use of a DNS provider to resolve actor-controlled domain infrastructure

In December 2022, we began to observe Star Blizzard using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.

We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.

Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.

In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.

Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.

Screenshot of an example spear-phishing email with a password protecting link to Proton Drive
Figure 8. Example of spear-phishing email with password protected link to Proton Drive

Randomizing DGA for actor registered domains

Following the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.

Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.

Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:

Examples of two X.509 TLS certificates used by the threat actor
Figure 9. Examples of X.509 TLS certificates used by Star Blizzard

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Consistent TTPs since 2022

Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.

Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a “phishlet” for the intended targets’ email provider.

Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.

Dgram displaying the redirection chain from PDF spear-phishing lure, to the actor-controlled VPS hosting redirection server, to the actor-controlled VPS hosting Evilginx server.
Figure 10. Typical Star Blizzard redirection chain to Evilginx infrastructure

Protecting yourself against Star Blizzard

As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.

The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:

Am I at risk of being a Star Blizzard target?

Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:

  1. Government or diplomacy (both incumbent and former position holders).
  2. Research into defense policy or international relations when related to Russia.
  3. Assistance to Ukraine related to the ongoing conflict with Russia.

Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.

What will a Star Blizzard spear-phishing email look like?

Star Blizzard emails appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders  (@proton[.]me, @protonmail[.]com) as they are frequently used by the threat actor.

An initial email is usually sent to the target, asking them to review a document, but without any attachment or link to the document.

The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or an embedded link, as detailed above in “Star Blizzard TTPs observed in 2024.”

If the targeted user has not completed authentication by entering their password in the offered sign-in page and/or supplied all the required factors for multifactor authentication (MFA), the threat actor does not have the capability to successfully compromise the targeted account.

Our recommendation to all email users that belong to Star Blizzard targeted sectors is to always remain vigilant when dealing with email, especially emails containing links to external resources. When in doubt, contact the person you think is sending the email using a known and previously used email address, to verify that the email was indeed sent by them.

What happens if I interact with a Star Blizzard PDF lure?

Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is the beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.

The host domain in the web address is an actor-controlled domain (see appendix for full list), and not the expected domain of the email server or cloud service.

If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.

As long as the authentication process is not completed (a valid password is not entered and/or an authentication request is not approved), the threat actor has not compromised the account.

If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, even if multifactor authentication is enabled.

Four screenshots of what the PDF lures look like when opened, such as a CAPTCHAs or sign-in pages.
Figure 11. Examples of Star Blizzard PDF lures when opened

Recommendations

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Microsoft emphasizes that the following two mitigations will strengthen customers’ environments against Star Blizzard attack activity:

Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.

Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:

Appendix

Microsoft Defender XDR detections

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office 365 inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling Network protection, organizations can block attempts to connect to these malicious domains.

Microsoft Defender for Endpoint

Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft Defender for Endpoint alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Defender for Endpoint Threat analytics 

Hunting queries  

Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.  

Indicators of compromise

Domain infrastructure observed in 2024

Domain nameRegistrarRegistered
confsendlist[.]orgHostinger UAB2024/08/27 18:31
asyncmainfunc[.]netHostinger UAB2024/08/27 17:52
postpackfull[.]comRealtime Register2024/08/27 17:26
bootsgatein[.]netHostinger UAB2024/08/27 16:36
getshowprofile[.]comRealtime Register2024/08/27 15:11
universalindospices[.]comRealtime Register2024/08/26 16:00
nucleareng[.]netHostinger UAB2024/08/22 16:48
embriodev[.]orgHostinger UAB2024/08/22 12:36
compmatheng[.]comEranet International 2024/08/21 13:52
biomechsys[.]orgPublicDomainRegistry2024/08/21 13:02
abstractalg[.]comHostinger UAB2024/08/21 11:54
epidemioeng[.]orgHostinger UAB2024/08/21 11:44
entomoleng[.]orgPublicDomainRegistry2024/08/19 13:52
firewalliot[.]orgHostinger UAB2024/08/16 14:28
vidmemax[.]comHostinger UAB2024/08/16 09:22
authadm[.]toolsPublicDomainRegistry2024/08/15 21:35
opiloans[.]comGMO Internet2024/08/15 03:45
steeldartpro[.]comGMO Internet2024/08/15 01:09
mechengsys[.]netTucows2024/08/08 15:53
poortruncselector[.]comHostinger UAB2024/08/01 17:36
keyvaluepassin[.]netHostinger UAB2024/08/01 16:40
aeromechelec[.]orgHostinger UAB2024/07/25 13:46
quantumspherebyteonline[.]orgHostinger UAB2024/07/22 13:49
bittechxeondynamics[.]orgHostinger UAB2024/07/22 11:34
synchrosphere[.]orgHostinger UAB2024/07/19 17:52
quantumnyx[.]orgHostinger UAB2024/07/19 16:12
introsavemsg[.]orgHostinger UAB2024/07/11 18:20
grepfileintro[.]netHostinger UAB2024/07/11 16:53
innotechhub[.]netHostinger UAB2024/07/09 17:44
nextgenprotocol[.]orgHostinger UAB2024/07/09 16:57
cyberwaytransfer[.]netHostinger UAB2024/07/09 15:55
dentalmag[.]orgHostinger UAB2024/07/08 17:41
eichenfass[.]orgHostinger UAB2024/07/08 16:18
loyaltyfirst[.]orgHostinger UAB2024/07/05 18:02
investfix[.]orgHostinger UAB2024/07/03 15:36
spurcapitalconstruction[.]comHostinger UAB2024/06/29 09:45
nutritivoybarato[.]comHostinger UAB2024/06/29 07:56
crestwoodtok[.]comHostinger UAB2024/06/28 17:29
accountingempowered[.]comHostinger UAB2024/06/28 08:53
iinguinalhernia[.]comHostinger UAB2024/06/28 06:03
absardeiracargo[.]comHostinger UAB2024/06/27 18:18
destelloideal[.]comHostinger UAB2024/06/27 14:33
dontezandkrisselm[.]comHostinger UAB2024/06/27 11:45
jeredutech[.]comHostinger UAB2024/06/26 16:52
mettezera[.]comHostinger UAB2024/06/26 16:33
btxfirewood[.]comHostinger UAB2024/06/26 14:34
equipemyr[.]comHostinger UAB2024/06/25 16:13
vizionviews[.]comHostinger UAB2024/06/25 08:03
alonaservices[.]comHostinger UAB2024/06/24 19:08
getvfsmartwatch[.]comHostinger UAB2024/06/22 13:43
cellvariedades[.]comHostinger UAB2024/06/21 16:55
mashelterssettlement[.]comHostinger UAB2024/06/20 17:59
specialdiskount[.]comHostinger UAB2024/06/19 17:07
sinatagotasbrasil[.]comHostinger UAB2024/06/19 10:53
yorkviewstating[.]comHostinger UAB2024/06/19 09:12
supermercadolagocalima[.]comHostinger UAB2024/06/18 15:11
arsenalcaption[.]comHostinger UAB2024/06/15 20:02
carpenterkari[.]comPublicDomainRegistry2024/06/12 13:58
spandvi[.]comHostinger UAB2024/06/11 18:10
cucudor[.]comHostinger UAB2024/06/11 16:16
animalmedic[.]orgHostinger UAB2024/06/11 15:07
movercon[.]comHostinger UAB2024/06/07 13:11
crafflights[.]comHostinger UAB2024/06/06 16:14
pilotsheikh[.]comHostinger UAB2024/06/06 10:37
smlancer[.]comHostinger UAB2024/06/06 09:27
casioakocustom[.]comHostinger UAB2024/06/05 15:24
prismhavenphotography[.]comHostinger UAB2024/06/04 19:12
diananithilamills[.]comHostinger UAB2024/06/04 15:45
egenre[.]netHostinger UAB2024/05/19 16:20
cityessentials[.]netHostinger UAB2024/05/19 15:30
esestacey[.]netHostinger UAB2024/05/19 14:33
seltinger[.]comPublicDomainRegistry2024/05/16 20:54
livonereg[.]comPublicDomainRegistry2024/05/16 20:54
gothicshop[.]orgHostinger UAB2024/05/07 13:14
directic[.]netNameCheap2024/04/25 16:49
sgmods[.]netNameCheap2024/04/25 14:39
calmlion[.]orgNameCheap2024/04/18 13:11
mayquarkesthetic[.]comHostinger UAB2024/04/08 17:00
xacshop[.]comHostinger UAB2024/04/08 13:50
prostrokes[.]netNameCheap2024/03/29 13:34
imgrich[.]comHostinger UAB2024/03/15 14:56
editablezoom[.]orgHostinger UAB2024/03/15 13:33

Past Star Blizzard domain infrastructure

DomainRegisteredRegistrarX.509 TLS Certificate IssuerDNS provider resolving
centralitdef[.]com2023/04/03 14:29:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatewayshome[.]com2023/04/06 16:09:06NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directstoragepro[.]com2023/04/07 14:18:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infocryptoweb[.]com2023/04/07 14:44:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudwebstorage[.]com2023/04/09 14:13:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptdatahub[.]com2023/04/10 10:07:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datainfosecure[.]com2023/04/10 10:16:20NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
servershieldme[.]com2023/04/11 07:32:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
scandefinform[.]com2023/04/12 10:18:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
guardittech[.]com2023/04/12 13:36:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinfohub[.]com2023/04/14 12:23:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsinfohub[.]com2023/04/14 16:24:45NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dbasechecker[.]com2023/04/20 08:31:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dbasecheck[.]com2023/04/20 08:31:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gaterecord[.]com2023/04/25 14:17:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directsgate[.]com2023/04/25 14:17:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinformationsolutions[.]com2023/04/25 15:33:03NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagedatadirect[.]com2023/04/25 15:33:05NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
informationdoorwaycertificate[.]com2023/04/25 17:50:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datagatewaydoc[.]com2023/04/25 17:50:37NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
panelittechweb[.]com2023/04/27 12:19:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
panelitsolution[.]com2023/04/27 12:19:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdocument[.]com2023/04/27 14:18:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdocumentgatewayhub[.]com2023/04/27 14:18:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
docview[.]cloud2023/05/03 06:33:44Hostinger UABC=US, O=Let’s Encrypt, CN=R3 
protectitbase[.]com2023/05/03 09:07:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webcatalogpro[.]com2023/05/04 09:47:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoformdata[.]com2023/05/04 13:13:56NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keydatastorageunit[.]com2023/05/10 09:20:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docanalizergate[.]com2023/05/10 15:23:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
docanalizerhub[.]com2023/05/10 15:23:21NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
hubdatapage[.]com2023/05/10 16:07:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
skyinformdata[.]com2023/05/11 11:10:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsaccessdata[.]com2023/05/11 12:35:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datacryptosafe[.]com2023/05/11 16:46:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudsetupprofi[.]com2023/05/12 15:35:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
setupprofi[.]com2023/05/12 15:35:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
analyzedatainfo[.]com2023/05/15 15:30:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infocryptodata[.]com2023/05/15 16:41:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datadocsview[.]com2023/05/16 13:23:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatedocsview[.]com2023/05/16 13:23:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
hubinfodocs[.]com2023/05/16 13:27:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
proffsolution[.]com2023/05/16 14:20:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
proffitsolution[.]com2023/05/16 14:20:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
defproresults[.]com2023/05/16 14:20:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
greatnotifyinfo[.]com2023/05/16 14:55:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topnotifydata[.]com2023/05/16 14:55:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topinformdata[.]com2023/05/16 14:55:58NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
defoffresult[.]com2023/05/16 15:23:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudinfodata[.]com2023/05/16 15:23:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webpartdata[.]com2023/05/16 15:23:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infostoragegate[.]com2023/05/17 14:41:37NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardenstoragedoorway[.]com2023/05/17 15:17:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
myposcheck[.]com2023/05/25 08:52:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
poscheckdatacenter[.]com2023/05/25 08:52:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
checkdatapos[.]com2023/05/25 08:52:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docdatares[.]com2023/05/26 13:42:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
datawebhub[.]com2023/05/26 16:28:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudithub[.]com2023/05/26 16:28:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secitweb[.]com2023/05/26 16:28:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentitsolution[.]com2023/05/29 13:21:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperinformation[.]com2023/05/29 13:21:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webprodata[.]com2023/05/29 14:28:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
clouditprofi[.]com2023/05/29 14:28:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptoinfostorage[.]com2023/05/29 14:34:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootinformationgateway[.]com2023/05/29 14:34:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewaydocumentdata[.]com2023/06/01 14:49:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewayitservices[.]com2023/06/01 14:49:17NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewerdata[.]com2023/06/01 14:59:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewergate[.]com2023/06/01 14:59:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webitresourse[.]com2023/06/02 19:35:46NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
homedocsdata[.]com2023/06/05 16:05:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
homedocsview[.]com2023/06/05 16:06:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webdataproceed[.]com2023/06/08 17:29:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
directkeeperstorage[.]com2023/06/12 15:47:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gatewaykeeperinformation[.]com2023/06/12 15:48:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatestorage[.]com2023/06/12 16:46:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentinformationsolution[.]com2023/06/12 16:46:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getclouddoc[.]com2023/06/14 10:56:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
statusfiles[.]com2023/06/16 09:49:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webstaticdata[.]com2023/06/16 09:49:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cloudwebfile[.]com2023/06/16 09:49:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
statuswebcert[.]com2023/06/16 10:29:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
nextgenexp[.]com2023/06/16 10:29:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
informationkeeper[.]com2023/06/16 14:48:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentgatekeeper[.]com2023/06/16 14:48:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptogatesolution[.]com2023/06/16 15:32:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
rootgatewaystorage[.]com2023/06/16 15:32:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoviewstorage[.]com2023/06/22 12:34:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infoconnectstorage[.]com2023/06/22 12:34:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infolookstorage[.]com2023/06/22 13:53:04NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
judicialliquidators[.]com2023/06/25 11:28:05NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safetyagencyservice[.]com2023/06/25 11:28:08NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dynamiclnk[.]com2023/06/27 13:20:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
temphoster[.]com2023/06/27 13:20:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documententranceintelligence[.]com2023/06/27 17:13:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentgateprotector[.]com2023/06/27 17:13:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
readinfodata[.]com2023/06/28 16:09:46NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
readdatainform[.]com2023/06/28 16:09:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webcryptoinfo[.]com2023/06/29 12:41:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageinfodata[.]com2023/06/29 12:41:50NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keeperdatastorage[.]com2023/07/03 17:40:16NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keepinformationroot[.]com2023/07/03 17:40:21NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
keyservicebar[.]com2023/07/05 13:25:41PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
bitespacedev[.]com2023/07/05 13:25:43PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
cryptodocumentinformation[.]com2023/07/05 15:04:46PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
directdocumentinfo[.]com2023/07/05 15:04:48PDR Ltd.C=US, O=Let’s Encrypt, CN=R3 
techpenopen[.]com2023/07/05 15:49:13NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
loginformationbreakthrough[.]com2023/07/06 16:01:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
alldocssolution[.]com2023/07/06 16:01:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentkeepersolutionsystems[.]com2023/07/06 18:45:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docholdersolution[.]com2023/07/06 18:45:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infodocitsolution[.]com2023/07/07 11:00:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
securebrowssolution[.]com2023/07/07 11:00:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secbrowsingate[.]com2023/07/07 11:18:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
secbrowsingsystems[.]com2023/07/07 11:18:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docguardmaterial[.]com2023/07/10 11:38:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
dockeeperweb[.]com2023/07/10 11:38:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docsecgate[.]com2023/07/11 13:27:59NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
documentsecsolution[.]com2023/07/11 13:28:01NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
cryptogatehomes[.]com2023/07/11 17:51:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
topcryptoprotect[.]com2023/07/12 13:03:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safedocumentgatesolution[.]com2023/07/12 13:17:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
safedocitsolution[.]com2023/07/12 13:17:23NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docscontentview[.]com2023/07/12 15:05:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
docscontentgate[.]com2023/07/12 15:05:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
openprojectgate[.]com2023/07/12 15:30:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
infowardendoc[.]com2023/07/12 15:30:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardensecbreakthrough[.]com2023/07/12 15:41:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
lawsystemjudgement[.]com2023/07/12 15:41:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
explorewebdata[.]com2023/07/13 08:12:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
doorwayseclaw[.]com2023/07/13 13:22:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entryloginpoint[.]com2023/07/13 13:22:22NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardenlawsec[.]com2023/07/13 14:12:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entrygatebreak[.]com2023/07/13 14:12:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
digitalworkdata[.]com2023/07/13 15:00:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
digitalhubdata[.]com2023/07/13 15:00:45NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
craftfilelink[.]com2023/07/13 15:31:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
createtempdoc[.]com2023/07/13 15:31:00NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
provideexplorer[.]com2023/07/13 16:25:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
reviewopenfile[.]com2023/07/13 16:25:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govsafebreakthrough[.]com2023/07/13 16:26:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govlawentrance[.]com2023/07/13 16:26:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagekeepdirect[.]com2023/07/13 17:36:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storageguarddirect[.]com2023/07/13 17:36:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
storagekeeperexpress[.]com2023/07/14 13:27:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
onestorageprotectordirect[.]com2023/07/14 13:27:27NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
lawwardensafety[.]com2023/07/14 13:41:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entrancequick[.]com2023/07/14 13:41:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
seclawdoorway[.]com2023/07/14 15:28:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
wardengovermentlaw[.]com2023/07/14 15:28:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getvaluepast[.]com2023/07/14 16:14:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
transferlinkdata[.]com2023/07/14 16:14:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
remcemson[.]com2023/07/26 11:25:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
osixmals[.]com2023/07/26 11:25:56NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
entranceto[.]com2023/07/28 12:26:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
govermentsecintro[.]com2023/07/28 12:26:17NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
itbugreportbeta[.]com2023/07/28 13:06:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
theitbugreportbeta[.]com2023/07/28 13:06:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
sockintrodoorway[.]com2023/07/28 13:21:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
maxintrosec[.]com2023/07/28 13:21:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
doorgovcommunity[.]com2023/07/28 15:11:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
tarentrycommunity[.]com2023/07/28 15:11:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
webfigmadesignershop[.]com2023/07/28 16:09:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
webfigmadesigner[.]com2023/07/28 16:09:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
logincontrolway[.]com2023/07/28 16:35:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
vertransmitcontrol[.]com2023/07/28 16:35:44NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
everyinit[.]com2023/08/09 13:56:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
aliceplants[.]com2023/08/09 17:22:26NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
countingtall[.]com2023/08/09 17:22:30NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
silenceprotocol[.]com2023/08/10 12:32:10NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
mintwithapples[.]com2023/08/10 12:32:15NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
winterholds[.]com2023/08/10 12:53:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
ziplinetransfer[.]com2023/08/10 16:47:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
translatesplit[.]com2023/08/10 16:47:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
getfigmacreator[.]com2023/08/11 13:13:20NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
postrequestin[.]com2023/08/11 13:13:23NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
tarifjane[.]com2023/08/17 14:05:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
configlayers[.]com2023/08/17 14:05:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
winterhascometo[.]com2023/08/17 16:21:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
inyourheadexp[.]com2023/08/17 16:21:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
glorybuses[.]com2023/08/18 15:27:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
janeairintroduction[.]com2023/08/18 15:27:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
vikingonairplane[.]com2023/08/18 16:19:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
marungame[.]com2023/08/18 16:19:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
victorinwounder[.]com2023/08/21 16:14:48NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
paneindestination[.]com2023/08/21 16:15:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
trastamarafamily[.]com2023/08/22 11:20:22NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
territoryedit[.]com2023/08/22 11:20:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
vectorto[.]com2023/08/24 09:40:49NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
johnysadventure[.]com2023/08/24 09:40:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
paternenabler[.]com2023/08/25 14:40:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
fastnamegenerator[.]com2023/08/25 14:40:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
literallyandme[.]com2023/08/28 13:21:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
andysalesproject[.]com2023/08/28 13:21:34NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
pandawithrainbow[.]com2023/08/28 17:08:58NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
natalyincity[.]com2023/08/29 15:25:02NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
machinerelise[.]com2023/09/01 16:29:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
industrialcorptruncate[.]com2023/09/01 16:30:07NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
constructionholdingnewlife[.]com2023/09/07 14:00:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
adventuresrebornpanda[.]com2023/09/07 14:00:55NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
cryingpand[.]com2023/09/13 13:10:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
industrialwatership[.]com2023/09/13 13:10:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
olohaisland[.]com2023/09/13 14:25:35NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
voodoomagician[.]com2023/09/13 14:25:36NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
newestchairs[.]com2023/09/14 11:24:47NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
cpuisocutter[.]com2023/09/14 12:37:53NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
incorpcpu[.]com2023/09/14 12:37:57NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
gulperfish[.]com2023/09/14 14:00:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
leviathanfish[.]com2023/09/14 14:00:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
truncationcorp[.]com2023/09/14 14:05:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
gzipinteraction[.]com2023/09/14 14:05:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
ghostshowing[.]com2023/09/14 16:10:42NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
hallowenwitch[.]com2023/09/14 16:10:43NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
certificatentrance[.]com2023/09/19 08:18:39NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apiwebdata[.]com2023/10/02 14:59:14NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apidatahook[.]com2023/10/04 15:45:19NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
apireflection[.]com2023/10/04 15:45:25NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
protectionoffice[.]tech2023/10/05 11:33:46Hostinger UABC=US, O=Let’s Encrypt, CN=R3 
lazyprotype[.]com2023/10/11 11:52:18NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
angelicfish[.]com2023/10/13 17:57:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
globalyfish[.]com2023/10/13 17:57:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
medicprognosis[.]com2023/10/16 14:36:32NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
medicoutpatient[.]com2023/10/16 14:36:41NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
krakfish[.]com2023/10/17 17:09:29NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
stingrayfish[.]com2023/10/17 17:09:31NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
incorpreview[.]com2023/10/17 18:27:09NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
truncatetrim[.]com2023/10/17 18:27:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
corporatesinvitation[.]com2023/10/18 14:48:54NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
triminget[.]com2023/10/18 17:31:40NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
firewitches[.]com2023/10/19 10:40:51NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
solartemplar[.]com2023/10/19 10:40:52NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
encryptionrenewal[.]com2023/10/20 13:36:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
sslkeycert[.]com2023/10/20 13:36:24NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
barbarictruths[.]com2023/10/23 07:37:30NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
castlefranks[.]com2023/10/23 07:37:33NameCheap, IncC=US, O=Let’s Encrypt, CN=R3Yes
comintroduction[.]com2023/10/24 14:01:11NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 
corpviewer[.]com2023/10/31 13:10:38NameCheap, IncC=US, O=Let’s Encrypt, CN=R3 

Star Blizzard HubSpot campaign domains:

Star Blizzard MailerLite campaign domain:

References

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

Related Posts