################################################################################ # nolovia state-sponsored malware blacklist file # Part of nolovia, # # The following servers have been identified as part of various state-sponsored # malware campaigns. ################################################################################ # Government-sponsored iOS malware blocking: # # These domains are associated with government-sponsored malware, see # https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ aalaan.tv accounts.mx adjust-local-settings.com alawaeltech.com alljazeera.co asrararabiya.co asrararablya.com asrarrarabiya.com bahrainsms.co bbc-africa.com bulbazaur.com checkinonlinehere.com cnn-africa.co damanhealth.online emiratesfoundation.net fb-accounts.com fb-accounts.com googleplay-store.com icloudcacher.com icrcworld.com iusacell-movil.com.mx kenyasms.org manoraonline.net mz-vodacom.info nation-news.com newtarrifs.net nsogroup.com nsoqa.com ooredoodeals.com pickuchu.com qaintqa.com redcrossworld.com sabafon.info smser.net thainews.asia topcontactco.com track-your-fedex-package.org turkeynewsupdates.com turkishairines.info uaenews.online univision.click unonoticias.net webadv.co whatsapp-app.com y0utube.com.mx ################################################################################ # Russian malware blocking: # # These domains are associated with GRIZZLY STEPPE "Russian Malicious Cyber Activity" # See https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity # A number of IP addresses were also identified that you may wish to block. # See https://wiki.shaunc.com/wikka.php?wakka=GrizzlySteppeIpsetIptables pdfregistry.net cderlearn.com ritsoperrol.ru littjohnwilhap.ru wilcarobbe.com one2shoppee.com insta.reduct.ru waterfilter.in.ua # These domains are associated with APT28/Fancy Bear modified LoJack tracking implants. # See https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/ elaxo.org ikmtrust.com lxwo.org sysanalyticweb.com webstp.com # Per a federal indictment, "linuxkrnl.net" was used by Russian intelligence as # part of a malware campaign. It appears to have lapsed and been re-registered, # but I'm including it anyway. # See https://www.justice.gov/file/1080281/download or https://pbs.twimg.com/media/DiAIv75U0AAqXcd.jpg linuxkrnl.net # Per Microsoft, these domains are associated with Russian spearphishing targeting # American political groups. # See https://www.apnews.com/afbcacce5ba64a8387f615d38237ee85 my-iri.org hudsonorg-my-sharepoint.com senate.group adfs-senate.services adfs-senate.email office365-onedrive.com ################################################################################ # Turkish malware blocking: # # These domains are associated with spyware targeted at Turkish users, using # Sandvine networking equipment to inject malicious binaries into the download # streams of legitimate applications. # See https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ and-security-state.com cdn-upd-ms6.com cdn2-sys-upd.com cdn6-upd-state-app.com document-management.today documentations.live download-document.world downloadering.co downloading.shop downloadingdocuments.com downloadingsystem.com englishdownloaders.today file-download.today filedownloaders.com filedownloads.online internetdownloading.co ms-cdn-88.com redirection.bid syriantelecom.co syriantelecommunications.co upd-ms3-app-state.com updserv-east-cdn3.com uploaders.online wind-files.today winload.info ################################################################################ # North Korean malware blocking: # # These domains are associated with the Lazarus Group, a North Korean APT. # See https://www.documentcloud.org/documents/4834220-2018-09-06-PARK-COMPLAINT-UNSEALED.html fancug.com