Home
-
Blog
-
How to detect network IoCs (URLs, Domains and IPs) in context of SNOWYAMBER, HALFRIG and QUARTERRIG in Sycope NSM?
16/04/2025

How to detect network IoCs (URLs, Domains and IPs) in context of SNOWYAMBER, HALFRIG and QUARTERRIG in Sycope NSM?

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian secret services.

Author: Maciej Wilamowski
SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services and prepared the IoC how malicious activity can be detected. (More information in here: https://www.gov.pl/web/baza-wiedzy/kampania-szpiegowska-wiazana-z-rosyjskimi-sluzbami)

As we read in the information published:

There is significant overlap between various aspects of the current campaign, such as its infrastructure, techniques, and tools, with those described in previous campaigns referred to as “NOBELIUM” by Microsoft and “APT29” by Mandiant. The actor behind this campaign has been linked to other campaigns, including “SOLARWINDS,” as well as tools such as “SUNBURST,” “ENVYSCOUT,” and “BOOMBOX,” among others, all of which have intelligence-gathering purposes.

What sets this campaign apart from previous ones is the use of software that has not been publicly described before. Additionally, new tools were utilized alongside or instead of those that had become less effective, allowing the actor to maintain continuity of operations.

 

In Sycope NSM you can use below search to detect artifacts regarding malicious URLs, Domains and IP addresses.

lookupKeyExists(“MalciousUrls”, {“Url”: httpUrl}) or lookupKeyExists(“MaliciousDomains”, {“Domain”: httpHost}) or lookupKeyExists(“MalciousIPs”, {“Ip”: clientIp}) or lookupKeyExists(“MalciousIPs”, {“Ip”: serverIp})

HALFRIG Network IoCs QUARTERRIG SNOWYAMBER
You may also like
Blog
Seamless Integration of Suricata with Sycope – Strengthen Your Network Security
Integrating Suricata, a leading open-source threat detection engine, with Sycope enhances your security capabilities by providing real-time, actionable insights directly within your security analytics platform.
Paweł Drzewiecki
10/06/2025
Read more >
This week top knowledge
Blog
How to detect crypto mining in your organization?
How could we try to detect the Resource Hijacking technique, a MITRE ATT&CK technique related to crypto mining activity?
Marcin Kaźmierczak
16/04/2025
Read more >
Blog
Sycope S.A. signs distributor agreement with Looptech Co.
This new distributor agreement unlocking exciting opportunities for expansion and growth across the GCC Countries and the Middle East.
Magda Bącela
03/06/2025
Read more >
Blog
Enhancing Network Visibility: Zabbix Integration with Sycope Made Easy
The integration between Sycope and Zabbix allows for the seamless exchange of network performance and monitoring data.
Marcin Kaźmierczak
10/06/2025
Read more >
x
Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration
< Previous video
Next video >
Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration
Products
Products
Visibility Performance Security Asset Discovery
Resources
Resources
Resource library
Documentation
 Integrations Case studies FAQ
Company
Company
About Careers Partners For Investors
© 2025 Sycope Ltd. All rights reserved. Privacy Policy
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.