# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: emissary panda, apt27, apt 27, threat group 3390, bronze union, iron tiger, tg-3390, temp.hippo, group 35, ziptoken, goblin panda, emissary panda, cycldek, luckymouse

# Reference: https://securelist.ru/luckymouse-hits-national-data-center/90213/

bbs.sonypsps.com
update.iaacstudio.com
wh0am1.itbaydns.com
google-updata.tk
windows-updata.tk

# Reference: https://securelist.com/luckymouse-ndisproxy-driver/87914/

http://103.75.190.28
http://213.109.87.58

# Reference: https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

language.wikaba.com
solution.instanthq.com
trprivates.com
mildupdate.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-21: EmissaryPanda waterhole in Mongolia's president and parliament websites)

activity.maacson.com
bbs.maacson.com
dns.itbaydns.com
fasterwall.com
govmn.tk
static.fasterwall.com
wh0am1.itbaydns.com
maacson.com

# Reference: https://twitter.com/MeltX0R/status/1179800013150527488

tdjsyqty0takah2x.gitoos.com

# Reference: https://twitter.com/Vishnyak0v/status/1287308019336990720 (# HyperBro backdoor)
# Reference: https://www.virustotal.com/gui/file/36fad80a5f328f487b20a3f5fc5f1902d50cbb1bd9167c44b66929a1288fc6f4/detection
# Reference: https://www.virustotal.com/gui/file/788bd34d3c5d12b9767f8ac5587f1970597c47fb06713a6070d430a593bb4945/detection

http://139.180.208.225/ajax

# Reference: https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4

36106g.com
cv3sa.gicp.net
kmbk8.hicp.net
sd123.eicp.net

# Reference: https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a

dn.dulichbiendao.org
gateway.vietbaotinmoi.com
web.thoitietvietnam.org
hn.dulichbiendao.org
halong.dulichculao.com
cat.toonganuh.com
new.sggpnews.com
dulichculao.com
wouderfulu.impresstravel.ga
toonganuh.com
coco.sodexoa.com

# Reference: https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a

skylineqaz.crabdance.com
tele.zyns.com
tajikstantravel.dynamic-dns.net
uzwatersource.dynamic-dns.net

# Reference: https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
# Reference: https://otx.alienvault.com/pulse/5ccabe9589bea41847a35a0f

web.hcmuafgh.com

# Reference: https://blogs.quickheal.com/apt-27-like-newcore-rat-virut-exploiting-mysql-targeted-attacks-enterprise/

115.214.104.26:81
http://192.167.4.10
http://43.242.75.228
aibeichen.cn

# Reference: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

185.12.45.134:443

# Reference: https://twitter.com/MeltX0R/status/1175309376493629440
# Reference: https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html

awvsf7esh.dellrescue.com
language.wikaba.com
solution.instanthq.com
yofeopxuuehixwmj.redhatupdater.com

# Reference: https://otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1

chatsecure.uk.to
chatsecurelite.uk.to
chatsecurelite.us.to
encryptit.qc.to
privatehd.us.to
sex17.us.to

# Reference: https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/
# Reference: https://otx.alienvault.com/pulse/5e734d45158714422bc4e774

motivation.neighboring.site

# Reference: https://twitter.com/_marklech_/status/1268138088167018498
# Reference: https://securelist.com/cycldek-bridging-the-air-gap/97157/

http://103.253.25.73
24h.tinthethaoi.com
cdn.laokpl.com
cophieu.dcsvnqvmn.com
hanghoa.trenduang.com
hcm.vietbaonam.com
images.webprogobest.com
info.coreders.com
khinhte.chinhsech.com
kinhte.chototem.com
lat.conglyan.com
login.dangquanwatch.com
login.diendanlichsu.com
login.giaoxuchuson.com
login.thanhnienthegioi.com
login.vietnamfar.com
luan.conglyan.com
mychau.dongnain.com
news.cooodkord.com
news.trungtamwtoa.com
nghiencuu.onetotechnologys.com
nhantai.xmeyeugh.com
quocphong.ministop14.com
thanhnien.vietnannnet.com
thegioi.kinhtevanhoa.com
thoitiet.yrindovn.com
tinmoi.thoitietdulich.com
tinmoi.vieclamthemde.com
tintuc.daikynguyen21.com
toiyeuvn.dongaruou.com
web.hcmuafgh.com
web.laomoodwin.com
web.laovoanew.com
tinthethaoi.com
laokpl.com
dcsvnqvmn.com
trenduang.com
vietbaonam.com
webprogobest.com
coreders.com
chinhsech.com
chototem.com
laovoanew.com
conglyan.com
dangquanwatch.com
diendanlichsu.com
giaoxuchuson.com
thanhnienthegioi.com
vietnamfar.com
conglyan.com
dongnain.com
cooodkord.com
trungtamwtoa.com
onetotechnologys.com
xmeyeugh.com
ministop14.com
vietnannnet.com
kinhtevanhoa.com
yrindovn.com
thoitietdulich.com
vieclamthemde.com
daikynguyen21.com
dongaruou.com
hcmuafgh.com
laomoodwin.com
laovoanew.com

# Reference: https://twitter.com/pancak3lullz/status/1286021877375303682
# Reference: https://twitter.com/pancak3lullz/status/1286027620740726785
# Reference: https://app.any.run/tasks/949f2624-505c-4f10-a304-1671492f9a22/
# Reference: https://www.virustotal.com/gui/file/96e38c55174bf287fe0c21a4d8fa633a252d526bc57cd1b042c473816edb0fbf/detection

27.124.26.136:1943
27.124.26.136:59486
265g.site
gj.wxb2568.cn

# Reference: https://medium.com/@Sebdraven/rtf-royal-road-drops-a-new-backdoor-mfc-and-links-with-goblin-panda-90db06f80611
# Reference: https://otx.alienvault.com/pulse/5f43f48c0712b9c5245d4824
# Reference: https://www.virustotal.com/gui/ip-address/91.218.113.17/relations

ckvyk.com
ckvyk.net
ggfnv.com
jgkgv.net
jkncj.com
kmbk8.hicp.net

# Reference: https://otx.alienvault.com/pulse/5fd1090b830e4fba81b06cef

chrome-upgrade.com
microlynconline.com
vegispaceshop.org

# Reference: https://www.virustotal.com/gui/file/99cc8ee3a385c767e25ebaf2dcaefdc8c091150c1a7dadbda6b08356c34bb889/detection

adobesys.com

# Reference: https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
# Reference: https://otx.alienvault.com/pulse/606dd51193fe95bf9552902e

cutepaty.com
giaitrinuoc.com
phongay.com
phong.giaitrinuoc.com
cloud.cutepaty.com
static.phongay.com

# Reference: https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
# Reference: https://otx.alienvault.com/pulse/607094697706cc521d0f0788

35.187.148.253:443
35.220.135.85:443
47.75.49.32:443
85.204.74.143:443
89.35.178.105:443
settings-win.dyndns-office.com