Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities

    Date: 02/18/2026

    Severity: High

    Summary

    A large-scale spam campaign abused Atlassian Cloud’s trusted domain to distribute multilingual phishing emails targeting government and corporate entities. By leveraging the reputation of Atlassian Jira, attackers sent tailored messages to multiple language groups and used Keitaro TDS-powered redirects to funnel victims toward fraudulent investment schemes and online casinos, indicating financially motivated activity. Organizations heavily reliant on Jira notifications were particularly at risk due to the inherent trust placed in SaaS-generated communications.

    Indicators of Compromise (IOC) List

    URLs/Domains

    20fdssadsad.atlassian.net

    3traveonkun.atlassian.net

    5ameyowin.atlassian.net

    5juelrnlt.atlassian.net

    99juelrnlt.atlassian.net

    caszxcmial1964.atlassian.net

    caszxcmial2354.atlassian.net

    caszxcmial5613.atlassian.net

    caszxcmial31235.atlassian.net

    faciniancu2.atlassian.net 

    goutiermathea2.atlassian.net 

    goutiermathea4.atlassian.net

    goutiermathea5.atlassian.net

    goutiermathea7.atlassian.net

    goutiermathea8.atlassian.net

    goutiermathea9.atlassian.net

    jananialigato3.atlassian.net 

    jananialigato4.atlassian.net 

    jananialigato6.atlassian.net 

    jananialigato7.atlassian.net 

    jananialigato8.atlassian.net

    jsldifjzxu3015.atlassian.net

    norawfzkwn7.atlassian.net

    norawfzkwn8.atlassian.net

    norawfzkwn9.atlassian.net

    norawfzkwn10.atlassian.net

    norawfzkwn55.atlassian.net

    norawfzkwn66.atlassian.net

    yandzxkc6135.atlassian.net

    yandzxkc8354.atlassian.net

    yandzxkc9135.atlassian.net

    yandzxkc71338.atlassian.net

    zavicevaa72212.atlassian.net

    ambiguityserial.site

    annamediumsmotretgo.online

    autsorsserialbdk.online

    autsorsserialoue.online

    autsorsserialtyr.online

    autsorsserialyuu.online

    barankiny-serial.online

    besplanto.online

    besprincypnievpiterenovyeserii.online

    blackjackonlineplay.com

    1winapps2.site

    zimorodoktv.online

    turok1990-one.online

    adrinal.com

    natsukage.jotakoxi.cyou

    dotime.ru

    barankinyserialxud.online

    audrey-reid.online

    autsorsserialkhy.online

    autsorsserialrpv.online

    autsorsserialyuu.online

    chikatiloserialsxe.online

    toprapes.com

    besprincypnievpiterenovyeserii.online

    IP Address

    85.239.37.79

    89.105.217.94

    80.89.237.99

    188.137.251.154

    Hash

    73052241b2bc103e19db2096608d686a266964d952944d3de12adc415c22927a

    38ceb6fed0a2bcfd627469305b81b7e2f4eb7564768f7e103645dab849940aba

    e9785ec2f27fc97cd57552c484dc34b650e116d090a98fc48f957c48e440ba7d

    bac38e5d38782e33dd995b9822228f88e06157ab8d9fd1fe20a31a550db0d354

    8574f1be0740ee6480f220d590d0eddb2bd02c0b30875daa943cbd2de8553cd1

    43bc0b395cc53490c7cf43be348890241ca8bee07cbddc3062fe5822866657e4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "autsorsserialbdk.online" or siteurl like "autsorsserialbdk.online" or url like "autsorsserialbdk.online" or domainname like "natsukage.jotakoxi.cyou" or siteurl like "natsukage.jotakoxi.cyou" or url like "natsukage.jotakoxi.cyou" or domainname like "autsorsserialtyr.online" or siteurl like "autsorsserialtyr.online" or url like "autsorsserialtyr.online" or domainname like "1winapps2.site" or siteurl like "1winapps2.site" or url like "1winapps2.site" or domainname like "adrinal.com" or siteurl like "adrinal.com" or url like "adrinal.com" or domainname like "autsorsserialkhy.online" or siteurl like "autsorsserialkhy.online" or url like "autsorsserialkhy.online" or domainname like "toprapes.com" or siteurl like "toprapes.com" or url like "toprapes.com" or domainname like "zimorodoktv.online" or siteurl like "zimorodoktv.online" or url like "zimorodoktv.online" or domainname like "barankiny-serial.online" or siteurl like "barankiny-serial.online" or url like "barankiny-serial.online" or domainname like "autsorsserialyuu.online" or siteurl like "autsorsserialyuu.online" or url like "autsorsserialyuu.online" or domainname like "dotime.ru" or siteurl like "dotime.ru" or url like "dotime.ru" or domainname like "annamediumsmotretgo.online" or siteurl like "annamediumsmotretgo.online" or url like "annamediumsmotretgo.online" or domainname like "ambiguityserial.site" or siteurl like "ambiguityserial.site" or url like "ambiguityserial.site" or domainname like "besplanto.online" or siteurl like "besplanto.online" or url like "besplanto.online" or domainname like "autsorsserialrpv.online" or siteurl like "autsorsserialrpv.online" or url like "autsorsserialrpv.online" or domainname like "turok1990-one.online" or siteurl like "turok1990-one.online" or url like "turok1990-one.online" or domainname like "besprincypnievpiterenovyeserii.online" or siteurl like "besprincypnievpiterenovyeserii.online" or url like "besprincypnievpiterenovyeserii.online" or domainname like "blackjackonlineplay.com" or siteurl like "blackjackonlineplay.com" or url like "blackjackonlineplay.com" or domainname like "chikatiloserialsxe.online" or siteurl like "chikatiloserialsxe.online" or url like "chikatiloserialsxe.online" or domainname like "autsorsserialoue.online" or siteurl like "autsorsserialoue.online" or url like "autsorsserialoue.online" or domainname like "barankinyserialxud.online" or siteurl like "barankinyserialxud.online" or url like "barankinyserialxud.online" or domainname like "20fdssadsad.atlassian.net" or siteurl like "20fdssadsad.atlassian.net" or url like "20fdssadsad.atlassian.net" or domainname like "3traveonkun.atlassian.net" or siteurl like "3traveonkun.atlassian.net" or url like "3traveonkun.atlassian.net" or domainname like "5ameyowin.atlassian.net" or siteurl like "5ameyowin.atlassian.net" or url like "5ameyowin.atlassian.net" or domainname like "5juelrnlt.atlassian.net" or siteurl like "5juelrnlt.atlassian.net" or url like "5juelrnlt.atlassian.net" or domainname like "99juelrnlt.atlassian.net" or siteurl like "99juelrnlt.atlassian.net" or url like "99juelrnlt.atlassian.net" or domainname like "caszxcmial1964.atlassian.net" or siteurl like "caszxcmial1964.atlassian.net" or url like "caszxcmial1964.atlassian.net" or domainname like "caszxcmial2354.atlassian.net" or siteurl like "caszxcmial2354.atlassian.net" or url like "caszxcmial2354.atlassian.net" or domainname like "caszxcmial5613.atlassian.net" or siteurl like "caszxcmial5613.atlassian.net" or url like "caszxcmial5613.atlassian.net" or domainname like "caszxcmial31235.atlassian.net" or siteurl like "caszxcmial31235.atlassian.net" or url like "caszxcmial31235.atlassian.net" or domainname like "faciniancu2.atlassian.net" or siteurl like "faciniancu2.atlassian.net" or url like "faciniancu2.atlassian.net" or domainname like "goutiermathea2.atlassian.net" or siteurl like "goutiermathea2.atlassian.net" or url like "goutiermathea2.atlassian.net" or domainname like "goutiermathea4.atlassian.net" or siteurl like "goutiermathea4.atlassian.net" or url like "goutiermathea4.atlassian.net" or domainname like "goutiermathea5.atlassian.net" or siteurl like "goutiermathea5.atlassian.net" or url like "goutiermathea5.atlassian.net" or domainname like "goutiermathea7.atlassian.net" or siteurl like "goutiermathea7.atlassian.net" or url like "goutiermathea7.atlassian.net" or domainname like "goutiermathea8.atlassian.net" or siteurl like "goutiermathea8.atlassian.net" or url like "goutiermathea8.atlassian.net" or domainname like "goutiermathea9.atlassian.net" or siteurl like "goutiermathea9.atlassian.net" or url like "goutiermathea9.atlassian.net" or domainname like "jananialigato3.atlassian.net" or siteurl like "jananialigato3.atlassian.net" or url like "jananialigato3.atlassian.net" or domainname like "jananialigato4.atlassian.net" or siteurl like "jananialigato4.atlassian.net" or url like "jananialigato4.atlassian.net" or domainname like "jananialigato6.atlassian.net" or siteurl like "jananialigato6.atlassian.net" or url like "jananialigato6.atlassian.net" or domainname like "jananialigato7.atlassian.net" or siteurl like "jananialigato7.atlassian.net" or url like "jananialigato7.atlassian.net" or domainname like "jananialigato8.atlassian.net" or siteurl like "jananialigato8.atlassian.net" or url like "jananialigato8.atlassian.net" or domainname like "jsldifjzxu3015.atlassian.net" or siteurl like "jsldifjzxu3015.atlassian.net" or url like "jsldifjzxu3015.atlassian.net" or domainname like "norawfzkwn7.atlassian.net" or siteurl like "norawfzkwn7.atlassian.net" or url like "norawfzkwn7.atlassian.net" or domainname like "norawfzkwn8.atlassian.net" or siteurl like "norawfzkwn8.atlassian.net" or url like "norawfzkwn8.atlassian.net" or domainname like "norawfzkwn9.atlassian.net" or siteurl like "norawfzkwn9.atlassian.net" or url like "norawfzkwn9.atlassian.net" or domainname like "norawfzkwn10.atlassian.net" or siteurl like "norawfzkwn10.atlassian.net" or url like "norawfzkwn10.atlassian.net" or domainname like "norawfzkwn55.atlassian.net" or siteurl like "norawfzkwn55.atlassian.net" or url like "norawfzkwn55.atlassian.net" or domainname like "norawfzkwn66.atlassian.net" or siteurl like "norawfzkwn66.atlassian.net" or url like "norawfzkwn66.atlassian.net" or domainname like "yandzxkc6135.atlassian.net" or siteurl like "yandzxkc6135.atlassian.net" or url like "yandzxkc6135.atlassian.net" or domainname like "yandzxkc8354.atlassian.net" or siteurl like "yandzxkc8354.atlassian.net" or url like "yandzxkc8354.atlassian.net" or domainname like "yandzxkc9135.atlassian.net" or siteurl like "yandzxkc9135.atlassian.net" or url like "yandzxkc9135.atlassian.net" or domainname like "yandzxkc71338.atlassian.net" or siteurl like "yandzxkc71338.atlassian.net" or url like "yandzxkc71338.atlassian.net" or domainname like "zavicevaa72212.atlassian.net" or siteurl like "zavicevaa72212.atlassian.net" or url like "zavicevaa72212.atlassian.net" or domainname like "audrey-reid.online" or siteurl like "audrey-reid.online" or url like "audrey-reid.online"

    Detection Query 2 :

    dstipaddress IN ("89.105.217.94","85.239.37.79","80.89.237.99","188.137.251.154") or srcipaddress IN ("89.105.217.94","85.239.37.79","80.89.237.99","188.137.251.154")

    Detection Query 3 :

    sha256hash IN ("73052241b2bc103e19db2096608d686a266964d952944d3de12adc415c22927a","38ceb6fed0a2bcfd627469305b81b7e2f4eb7564768f7e103645dab849940aba","e9785ec2f27fc97cd57552c484dc34b650e116d090a98fc48f957c48e440ba7d","bac38e5d38782e33dd995b9822228f88e06157ab8d9fd1fe20a31a550db0d354","8574f1be0740ee6480f220d590d0eddb2bd02c0b30875daa943cbd2de8553cd1","43bc0b395cc53490c7cf43be348890241ca8bee07cbddc3062fe5822866657e4")

    Reference:

    https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html


    Tags

    MalwarePhishingGovernment Services and FacilitiesSaas

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags