TR-10 - Red October / Sputnik malware


Red October is a malware family, also named Sputnik, which was detected in October 2012 by Kaspersky. It was active since 2007, installations have been spotted around the globe and targets were diplomatic and governmental agencies. The malware usually was sent by email to selected people in the respective organizations. As a cover, different office file formats have been used to transport the loader of the malware, using different exploits to drop the malicious content. After several stages of unpacking, the malware is running persistently on the computer and only when it successfully probes internet connectivity, it decrypts a separate file and starts to behave maliciously: it connects to a Command and Control server, awaiting new commands or downloading and executing specific malware modules.


Currently, the domains in this document are known to be used for Command and Control activity.

Any hit in your organisation’s Proxy or DNS log files or firewall logs during the last 6 years indicate a compromised host in your organization.

Proactive measures

Block access to below mentioned domains and IP addresses.

Reactive measures

Review log files, also those from backups regarding hits on the domains / IP addresses. In case of a hit, identify and isolate the machine by unplugging it from the network. CIRCL can assist with the analysis of memory and file system dumps.


Red October domains

Red October IPs

Attribution and technical reports

We want to thank Kaspersky Lab for sharing the information

Classification Of This Document

TLP: WHITE information may be distributed without restriction, subject to copyright controls.