# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: emissary panda, apt27, apt 27, threat group 3390, bronze union, iron tiger, tg-3390, temp.hippo, group 35, ziptoken, goblin panda, emissary panda, cycldek, luckymouse # Reference: https://securelist.ru/luckymouse-hits-national-data-center/90213/ bbs.sonypsps.com update.iaacstudio.com wh0am1.itbaydns.com google-updata.tk windows-updata.tk # Reference: https://securelist.com/luckymouse-ndisproxy-driver/87914/ http://103.75.190.28 http://213.109.87.58 # Reference: https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox language.wikaba.com solution.instanthq.com trprivates.com mildupdate.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-21: EmissaryPanda waterhole in Mongolia's president and parliament websites) activity.maacson.com bbs.maacson.com dns.itbaydns.com fasterwall.com govmn.tk static.fasterwall.com wh0am1.itbaydns.com maacson.com # Reference: https://twitter.com/MeltX0R/status/1179800013150527488 tdjsyqty0takah2x.gitoos.com # Reference: https://twitter.com/Vishnyak0v/status/1287308019336990720 (# HyperBro backdoor) # Reference: https://www.virustotal.com/gui/file/36fad80a5f328f487b20a3f5fc5f1902d50cbb1bd9167c44b66929a1288fc6f4/detection # Reference: https://www.virustotal.com/gui/file/788bd34d3c5d12b9767f8ac5587f1970597c47fb06713a6070d430a593bb4945/detection http://139.180.208.225/ajax # Reference: https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4 36106g.com cv3sa.gicp.net kmbk8.hicp.net sd123.eicp.net # Reference: https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a dn.dulichbiendao.org gateway.vietbaotinmoi.com web.thoitietvietnam.org hn.dulichbiendao.org halong.dulichculao.com cat.toonganuh.com new.sggpnews.com dulichculao.com wouderfulu.impresstravel.ga toonganuh.com coco.sodexoa.com # Reference: https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a skylineqaz.crabdance.com tele.zyns.com tajikstantravel.dynamic-dns.net uzwatersource.dynamic-dns.net # Reference: https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6 # Reference: https://otx.alienvault.com/pulse/5ccabe9589bea41847a35a0f web.hcmuafgh.com # Reference: https://blogs.quickheal.com/apt-27-like-newcore-rat-virut-exploiting-mysql-targeted-attacks-enterprise/ 115.214.104.26:81 http://192.167.4.10 http://43.242.75.228 aibeichen.cn # Reference: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ 185.12.45.134:443 # Reference: https://twitter.com/MeltX0R/status/1175309376493629440 # Reference: https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html awvsf7esh.dellrescue.com language.wikaba.com solution.instanthq.com yofeopxuuehixwmj.redhatupdater.com # Reference: https://otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1 chatsecure.uk.to chatsecurelite.uk.to chatsecurelite.us.to encryptit.qc.to privatehd.us.to sex17.us.to # Reference: https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/ # Reference: https://otx.alienvault.com/pulse/5e734d45158714422bc4e774 motivation.neighboring.site # Reference: https://twitter.com/_marklech_/status/1268138088167018498 # Reference: https://securelist.com/cycldek-bridging-the-air-gap/97157/ http://103.253.25.73 24h.tinthethaoi.com cdn.laokpl.com cophieu.dcsvnqvmn.com hanghoa.trenduang.com hcm.vietbaonam.com images.webprogobest.com info.coreders.com khinhte.chinhsech.com kinhte.chototem.com lat.conglyan.com login.dangquanwatch.com login.diendanlichsu.com login.giaoxuchuson.com login.thanhnienthegioi.com login.vietnamfar.com luan.conglyan.com mychau.dongnain.com news.cooodkord.com news.trungtamwtoa.com nghiencuu.onetotechnologys.com nhantai.xmeyeugh.com quocphong.ministop14.com thanhnien.vietnannnet.com thegioi.kinhtevanhoa.com thoitiet.yrindovn.com tinmoi.thoitietdulich.com tinmoi.vieclamthemde.com tintuc.daikynguyen21.com toiyeuvn.dongaruou.com web.hcmuafgh.com web.laomoodwin.com web.laovoanew.com tinthethaoi.com laokpl.com dcsvnqvmn.com trenduang.com vietbaonam.com webprogobest.com coreders.com chinhsech.com chototem.com laovoanew.com conglyan.com dangquanwatch.com diendanlichsu.com giaoxuchuson.com thanhnienthegioi.com vietnamfar.com conglyan.com dongnain.com cooodkord.com trungtamwtoa.com onetotechnologys.com xmeyeugh.com ministop14.com vietnannnet.com kinhtevanhoa.com yrindovn.com thoitietdulich.com vieclamthemde.com daikynguyen21.com dongaruou.com hcmuafgh.com laomoodwin.com laovoanew.com # Reference: https://twitter.com/pancak3lullz/status/1286021877375303682 # Reference: https://twitter.com/pancak3lullz/status/1286027620740726785 # Reference: https://app.any.run/tasks/949f2624-505c-4f10-a304-1671492f9a22/ # Reference: https://www.virustotal.com/gui/file/96e38c55174bf287fe0c21a4d8fa633a252d526bc57cd1b042c473816edb0fbf/detection 27.124.26.136:1943 27.124.26.136:59486 265g.site gj.wxb2568.cn # Reference: https://medium.com/@Sebdraven/rtf-royal-road-drops-a-new-backdoor-mfc-and-links-with-goblin-panda-90db06f80611 # Reference: https://otx.alienvault.com/pulse/5f43f48c0712b9c5245d4824 # Reference: https://www.virustotal.com/gui/ip-address/91.218.113.17/relations ckvyk.com ckvyk.net ggfnv.com jgkgv.net jkncj.com kmbk8.hicp.net # Reference: https://otx.alienvault.com/pulse/5fd1090b830e4fba81b06cef chrome-upgrade.com microlynconline.com vegispaceshop.org # Reference: https://www.virustotal.com/gui/file/99cc8ee3a385c767e25ebaf2dcaefdc8c091150c1a7dadbda6b08356c34bb889/detection adobesys.com # Reference: https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/ # Reference: https://otx.alienvault.com/pulse/606dd51193fe95bf9552902e cutepaty.com giaitrinuoc.com phongay.com phong.giaitrinuoc.com cloud.cutepaty.com static.phongay.com