This is list of IoC's related to DarkSide ransomware, identified by third-party researchers.
UNC2628 has interacted with victim environments using various legitimate accounts, but in multiple cases has also created and used a domain account with the username 'spservice'. Across all known intrusions, UNC2628 has made heavy use of the Cobalt Strike framework and BEACON payloads. BEACON command and control (C2) infrastructure attributed to this actor has included the following: hxxps://104.193.252[.]197:443/ hxxps://162.244.81[.]253:443/ hxxps://185.180.197[.]86:443/ hxxps://athaliaoriginals[.]com/ hxxps://lagrom[.]com:443/font.html hxxps://lagrom[.]com:443/night.html hxxps://lagrom[.]com:443/online.html hxxps://lagrom[.]com:443/send.html hxxps://lagrom[.]com/find.html?key=id#-