Free Threat Intel for Canada: 37 IOCs for Eh-Holes Targeting the True North

TL;DR: We published 2 OTX pulses with 37 Canada-focused IOCs covering ALPHV/BlackCat, critical infrastructure threats, and PIPEDA compliance. Free. No paywall. Because our neighbors deserve threat intel too, and CSE can't do it all.

The Problem

Canada is getting hammered.

• Ransomware is the #1 threat to Canada's critical infrastructure

• 20+ Canadian government networks breached by Chinese hackers in 4 years

• 336 pre-ransomware notifications sent to 309 Canadian organizations in 2024-25

• 74-148 ransomware incidents averted, saving $6-18M

• Hacktivists targeting ICS in water, food, and energy sectors (November 2025 alert)

CSE stood up a campaign to counter the top 10 ransomware groups impacting Canada. They're doing good work, but they can't protect everyone.

The ALPHV/BlackCat IOCs

CCCS published a dedicated advisory on ALPHV/BlackCat targeting Canadian industries. Here's what they're using:

C2 Infrastructure (9 IPs) - Azure infrastructure abuse (4.157.42.62, 40.88.54.192, 52.188.53.135) - Dedicated C2 servers (162.33.179.114, 193.149.187.213, 206.188.196.78) - Residential proxies (45.154.138.39, 47.154.86.24, 67.216.143.42)

Legitimate Services Abused - **fleetdeck.io** - Remote management tool - **gofile.io** - File sharing for exfil - **storjshare.io** - Cloud storage for staging - **privacy.sexy** - Defense evasion tool - **Azure Blob Storage** - Data staging via Azure

File Indicators - FleetDeck agent abuse (fleetdeck_agent_svc.exe) - Windows Defender ATP offboarding scripts - PowerShell loaders (WhenTheyCry0.ps1) - 17+ SHA256 hashes for malware samples

PIPEDA: 20 Million Canadians Affected

• 686 breach reports (down slightly from 693)

• 20 million Canadians had accounts affected

• Financial sector was the largest target (172 unauthorized access reports)

• 23andMe investigation - 7M+ Canadians affected, OPC found notification delays

• PowerSchool breach - Investigation launched February 2025

OSFI B-13 Compliance Effective January 1, 2024, OSFI Guideline B-13 requires federally regulated financial institutions (FRFIs) to manage technology and cyber risk. If you're a Canadian bank, credit union, or insurance company - you need threat intel to meet these requirements.

Bill C-27 (What Could Have Been) Bill C-27 would have increased PIPEDA fines to: - **$10M or 3% global revenue** (administrative penalties) - **$25M or 5% global revenue** (criminal penalties)

Even without C-27, PIPEDA requires "as soon as feasible" breach notification. The 23andMe ruling shows OPC is enforcing this.

The Two Pulses

Pulse 1: Canadian Government Ransomware **20 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cc688378005f82f2fbee9)

• 9 C2 IP addresses (direct from CCCS)

• 5 domains/URLs for staging and exfil

• 3 SHA256 file hashes

• 3 filename indicators (PowerShell, Defender bypass)

Pulse 2: PIPEDA Data Protection **17 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cc6886ddd265158bf7aa5)

• PowerShell commands targeting financial groups

• Phishing patterns (canada-benefits, interac-etransfer, service-canada)

• Credential harvesting tools

• Ransomware preparation commands

Critical Infrastructure: November 2025 Alert

• Water systems

• Food production

• Energy and utilities

• Transportation

• Health systems

• Remove unnecessary internet connections from ICS

• Deploy VPNs, firewalls, MFA

• Replace default passwords

• Segregate IT and OT environments

• Maintain offline backups

What To Do With This

If you're a Canadian IT admin:

1. Subscribe to both pulses - These are CCCS IOCs repackaged for easy ingestion 2. Block the ALPHV C2 IPs - Especially the Azure-hosted ones that look "legitimate" 3. Monitor for FleetDeck abuse - Legitimate tool, but attackers love it 4. Watch for .gc.ca phishing - Government impersonation is constant 5. Report to CCCS - [email protected] or 1-833-CYBER-88

If you're a Canadian CISO (OSFI B-13):

• Threat intelligence consumption

• Active defense measures

• Compliance with risk management requirements

If you're handling PIPEDA breaches:

The OPC expects "as soon as feasible" notification. They investigated 23andMe for a 1-month delay. Have your incident response plan ready before you need it.

The Continental Defense Angle

Here's the thing: American threat actors use Canadian infrastructure as staging, and vice versa. The ALPHV/BlackCat IOCs CCCS published? Some of those Azure IPs are US-based but targeting Canadian orgs.

We're in Minnesota. Canada is right there. Your threats are our threats. When American companies share threat intel with Canadian companies, everyone benefits.

That's why we're publishing these for free. Not because we're nice (debatable), but because collective defense actually works.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - 24 pulses, 1,300+ indicators

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CCCS ALPHV/BlackCat Advisory](https://www.cyber.gc.ca/en/alerts-advisories/alphvblackcat-ransomware-targeting-canadian-industries)

• [National Cyber Threat Assessment 2025-2026](https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026)

• [CCCS Alerts and Advisories](https://www.cyber.gc.ca/en/alerts-advisories) - Stay current

• [OPC PIPEDA Reports](https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/202425/ar_202425/)

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He shares threat intel with Canadian organizations because (a) continental defense matters, (b) maple syrup is delicious, and (c) someone should. If you're a Canadian organization and need help, we don't charge extra for the exchange rate.*

*Questions? [email protected]*