# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ # Reference: https://blog.sicehice.com/2023/03/androxgh0st-stealing-your-aws-key-pairs.html # Reference: https://otx.alienvault.com/pulse/63d43565fa3638d6d936705e http://109.237.97.180 http://185.83.146.154 # Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a # Reference: https://otx.alienvault.com/pulse/65a7d3eed9b9cc8a7ed724cd rockylinux.si mc.rockylinux.si # Reference: https://x.com/banthisguy9349/status/1855870231861715197 # Reference: https://search.censys.io/search?q=services.http.response.body%3D%220x%255B%255D%3Dandroxgh0st%22&resource=hosts&cursor=eyJhbGciOiJFZERTQSJ9.eyJub25jZSI6InhxVFIySXdiRkFZYk1FZXVWRDZHU2hQWHFJTUgxK3NXL2lUQk5ERFRFZUkiLCJwYWdlIjozLCJyZXZlcnNlZCI6ZmFsc2UsInNlYXJjaF9hZnRlciI6WzEuMCwxNzMxMzI2NTU0MDc3LCIzNy44Mi43LjUzIixudWxsXSwic29ydCI6W3siX3Njb3JlIjp7Im9yZGVyIjoiZGVzYyJ9fSx7Imxhc3RfdXBkYXRlZF9hdCI6eyJtaXNzaW5nIjoiX2xhc3QiLCJtb2RlIjoibWluIiwib3JkZXIiOiJkZXNjIn19LHsiaXAiOnsibWlzc2luZyI6Il9sYXN0IiwibW9kZSI6Im1pbiIsIm9yZGVyIjoiYXNjIn19LHsibmFtZS5fX3JhdyI6eyJtaXNzaW5nIjoiX2xhc3QiLCJtb2RlIjoibWluIiwib3JkZXIiOiJhc2MifX1dLCJ2ZXJzaW9uIjoxfQ.6Mr8RmlYVp5R5_Yw_ZR1WLWpxD-OKQcjrlfGrSdp4HyZAH01-pOvz-RMiz5RJPlwA7DsFXojRmwPtnX4k3DDAg http://136.255.200.154 http://14.0.131.117 http://178.115.252.206 http://188.5.35.227 http://193.105.228.36 http://213.158.146.148 http://213.158.146.226 http://217.245.68.118 http://217.91.39.102 http://34.199.68.218 http://34.202.222.133 http://37.189.61.33 http://5.26.129.52 http://77.239.46.106 http://79.205.123.185 http://81.200.163.186 http://84.169.35.14 http://89.123.194.20 http://94.168.56.100 http://94.227.42.150 176.30.202.242:40080 178.242.0.119:40080 178.242.103.252:82 178.242.156.191:11082 178.242.44.226:83 178.242.5.231:82 178.242.82.62:10080 188.38.122.169:81 188.59.107.168:85 188.59.134.105:85 188.59.2.169:82 213.200.229.12:8000 213.233.116.106:1025 213.233.116.106:1026 213.233.116.106:502 213.43.160.13:82 31.177.41.57:9004 31.177.41.57:9005 37.80.81.108:8089 37.80.9.207:86 37.82.64.78:8089 37.84.163.238:120 37.84.170.135:85 37.85.48.170:83 45.79.69.171:60402 46.104.88.51:40080 46.104.89.21:40080 46.97.202.150:83 5.11.151.151:40080 5.11.240.244:90 5.11.241.48:40080 5.26.117.32:81 5.26.165.2:84 5.26.178.232:81 5.26.198.55:40080 5.26.213.203:85 5.26.228.111:81 5.26.229.220:10082 5.26.60.144:83 5.26.64.201:81 77.129.105.125:82 77.130.118.223:82 8.136.7.221:8000 86.71.99.76:82 87.139.197.249:82 92.95.255.227:82 # Reference: https://x.com/AndreGironda/status/1937704608476074329 # Reference: https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger cgim5hrh18vvdb38d1905iah3br5dyhji.oast.pro cgim5hrh18vvdb38d190nnkcjrgc11cns.oast.pro ch14vjilcoecm8580ft0bhwxm3yjaacyo.oast.live ch14vjilcoecm8580ft0g6xsmrkewgwro.oast.live ch14vjilcoecm8580ft0owzy7e9c7hu36.oast.live chcmp35oujaubpa7e86g1wz9dypg9oc67.oast.site chcmp35oujaubpa7e86g7mnzmqr9qadow.oast.site chcmp35oujaubpa7e86gke4ba4r5iwxwz.oast.site chcmp35oujaubpa7e86gkmmxw6tzhz5s6.oast.site chi2p4r4bcdfd791dh50af56ny6e5p6e3.oast.fun chi2p4r4bcdfd791dh50c6dpgu4h9rdhc.oast.fun chi2p4r4bcdfd791dh50e76q1is16rh83.oast.fun chi2p4r4bcdfd791dh50tp6ptaa1syixo.oast.fun chke3769l5m6jbj8hq90cjcau8b594eu.oast.fun chke3769l5m6jbj8hq90d4dhb4nx4zagt.oast.fun chke3769l5m6jbj8hq90dzxqghnrfe6x6.oast.fun chke3769l5m6jbj8hq90fu71kckky5x63.oast.fun chke3769l5m6jbj8hq90grzqgusyh11ep.oast.fun chke3769l5m6jbj8hq90kumuzndndpokb.oast.fun chke3769l5m6jbj8hq90mrpez639ppnhj.oast.fun chke3769l5m6jbj8hq90q5hqbd8rq5gkk.oast.fun chke3769l5m6jbj8hq90tyrybjrzu9d1x.oast.fun chke3769l5m6jbj8hq90up1kyouqdf7hx.oast.fun chke3769l5m6jbj8hq90wc79578iwhft1.oast.fun chke3769l5m6jbj8hq90y47n3ayz4uryc.oast.fun cj7409i4t88ukb0publgakedcbwnz7nzy.oast.live cj7409i4t88ukb0publgep4f3ii11ogdk.oast.live cj7409i4t88ukb0publgjtkyt534mnrby.oast.live cj7409i4t88ukb0publgtphu9h34f9bpn.oast.live cv032vemsb87jtt2p11g5h8xztka6kruj.oast.me cv032vemsb87jtt2p11g5y63nwb1ekujx.oast.me cv032vemsb87jtt2p11g9n8d9kmxqhq6q.oast.me cv032vemsb87jtt2p11ger6hddhzm5j4p.oast.me cv032vemsb87jtt2p11getfd9zd4tpqqs.oast.me cv032vemsb87jtt2p11gnn3nghfxgd3bt.oast.me cv032vemsb87jtt2p11gwf68p1xw7rgtk.oast.me cv032vemsb87jtt2p11gxzy7j9ziaf4j3.oast.me cv032vemsb87jtt2p11gybdoc66nuxxxh.oast.me cv032vemsb87jtt2p11gz8mdcbnsokgf6.oast.me cv032vemsb87jtt2p11gzhoc81cijqymg.oast.me cv032vemsb87jtt2p11gzs4xhcki44oof.oast.me d0i0taritt4c9dh9hln06thpknw9dcqhu.oast.today d0i0taritt4c9dh9hln0h7xsu7h88cxfr.oast.today d0i0taritt4c9dh9hln0rhrdyu5ds8frk.oast.today d0i0taritt4c9dh9hln0w8mzbmxi5bu96.oast.today i-sh.detectors-testing.com # Generic /data="0x%5B%5D=androxgh0st"