Detection / HNTPublic file

UNC3753 Reported Infrastructure in Network Telemetry

Hunts for IP addresses, a data-leak domain, and organization-specific domain patterns reported with UNC3753 activity. The values are historical and require current ownership, resolution, and local-timing validation.

Sigma source

Raw YAML
title: UNC3753 Reported Infrastructure in Network Telemetry
id: 18f89d0a-498b-41f5-9a38-82dd7006f25b
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Hunts for IP addresses, a data-leak domain, and organization-specific domain patterns reported with UNC3753 activity. The values are historical and require current ownership, resolution, and local-timing validation.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
  - https://www.ic3.gov/CSA/2026/260526.pdf
logsource:
  category: network_connection
detection:
  selection_source_ip:
    SourceIp:
      - '192.236.147.131'
      - '192.236.147.138'
      - '193.141.60.212'
      - '192.236.154.158'
      - '192.236.146.173'
      - '174.169.162.62'
      - '64.94.84.97'
  selection_destination_ip:
    DestinationIp:
      - '192.236.147.131'
      - '192.236.147.138'
      - '193.141.60.212'
      - '192.236.154.158'
      - '192.236.146.173'
      - '174.169.162.62'
      - '64.94.84.97'
  selection_exact_domain:
    DestinationHostname: 'business-data-leaks.com'
  selection_domain_pattern:
    DestinationHostname|endswith:
      - '-itdesk.com'
      - '-it.com'
      - '-helpdesk.com'
  condition: 1 of selection_*
falsepositives:
  - Reassigned, sinkholed, or shared infrastructure after the reported campaign period
  - Unrelated domains whose registered names end with an organization-specific helpdesk pattern
  - Security testing that intentionally uses the published values
level: medium
tags:
  - attack.command-and-control
  - attack.t1071.001
telemetry_assumptions:
  - DNS, proxy, firewall, or endpoint network telemetry maps source and destination addresses and hostnames into the selected fields.
  - Analysts validate current ownership, passive DNS, resolution, prevalence, and event timing before escalation.
related_publication: unc3753-vishing-extortion-law-firms

Relationships

Related files