See sources for this example from Indonesia: https://urlquery.net/report/8c55d8a0-62b9-4078-8c6b-b90247632521
archival source: http://www.overflowzone.com/archive/country/ID/87
for being a phish → https://checkphish.ai/ip/202.52.146.117
dns requests in malware analytics: https://report.any.run/90c2ef1e6736c8f9b8625b2498f839f423d5873527bbdbe22b24513994fabe17/86ad6390-37d5-4ade-ba53-cabac1ff158f

polonus

This one now on a known infection source: https://urlquery.net/report/c4369e85-d5f9-40c5-a66c-8d779d127040
See: https://www.virustotal.com/#/url/940d24742ccc845cadb856e21c2308f16ccb8c293891e6eed6e9e309de4a363b/details
and that IP: https://www.threatcrowd.org/ip.php?ip=217.97.216.17
and https://www.threatminer.org/host.php?q=217.97.216.17
more: https://www.reverse.it/sample/792a0dadf2e7cc4bc83bb0fb6bb1783ed1f4d899e7bc3e4be8d5c5f5d83fe8b7?environmentId=100
Re: https://checkphish.ai/insights/url/1517390367369/db2b249a308cb4ba53d52a1e1814398d981448111defde612390b451c7ed8090
Re: https://cool-links.org/sp11bialystok.neostrada.pl.html

polonus