# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt37, apt-c-37, geumseong121, group123, redeyes, scarcruft, Red Eyes, Venus 121, Thallium, ta406, Temp.Reaper # Reference: https://otx.alienvault.com/pulse/5d4456d289603cc548ddbc92 # Reference: https://blog.alyac.co.kr/2453 (Korean) # Reference: https://fortiguard.com/resources/threat-brief/2019/08/09/fortiguard-threat-intelligence-brief-august-09-2019 price365.co.kr/abbi/head0.jpg price365.co.kr/abbi/json/openssl.php price365.co.kr/abbi/tail0.jpg darvishkhan.net/wp-content/uploads/2017/06/update3.dat darvishkhan.net/wp-content/uploads/2017/06/update6.dat # Reference: http://blogs.360.cn/post/analysis-of-apt-c-37.html # Reference: https://otx.alienvault.com/pulse/5d7916e3f619df83fd65778e adamnews.for.ug btcaes2.duckdns.org da3da3.duckdns.org israanews.zz.com.ve mmksba.dyndns.org mmksba.simple-url.com samd1.duckdns.org samd2.duckdns.org sorry.duckdns.org webhoptest.webhop.info # Reference: https://twitter.com/blackorbird/status/1188726162928758784 # Reference: https://mp.weixin.qq.com/s/Wnb-r7SWbGGN-XuQ8fW_jw artmuseums.or.kr/swfupload/fla/1.jpg casaabadia.es/wp-content/uploads/2018/06/null/ fjtlephare.fr/wp-content/uploads/2018/05/null/ # Reference: https://twitter.com/blackorbird/status/1112904229495042049 # Reference: https://blog.alyac.co.kr/2226 (Korean) /skin15/include/bin/forlab.php /ct/data/icon/files/goal.php # Reference: https://twitter.com/navSi16/status/1066296138498629637 padosori.co.kr /_controller/admin/upload_sec/down.php # Reference: https://twitter.com/cyberwar_15/status/1122692430262706178 # Reference: https://blog.alyac.co.kr/2281 (Korean) youngs.dgweb.kr /skin15/include/bin/home.php # Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ (Chinese) http://72.21.245.117 martnews.aba.ae mslove.mypressonline.com # Reference: https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU # Reference: https://malpedia.caad.fkie.fraunhofer.de/actor/apt37 # Reference: https://twitter.com/jfslowik/status/1212097943550873600 # Reference: https://otx.alienvault.com/pulse/5e0b9895c5ed003a85210202 (# Thallium) # Reference: https://pastebin.com/ScaPd18W ahooc.com app-wallet.com bigwnet.com bitwoll.com cexrout.com change-pw.com checkprofie.com cloudwebappservice.com com-change.pw com-serviceround.info ctquast.com dataviewering.com dauurn.net day-post.com dialy-post.com doc-view.work documentviewingcom.com dounn.net dovvn-mail.com down-error.com drivecheckingcom.com drog-service.com encodingmail.com files-download.net filinvestment.com fixcool.net foldershareing.com golangapis.com graphwin.com grnaeil.com gstaticstorage.com hanrnaii.net helpnaver.com hotrnall.com iinaver.com imap-login.com inbox-yahoo.com lh-logins.com lh-logs.com login-sec.com login-use.com mai1.info mail-down.com maingoogie.com maingoogle.com matmiho.com mihomat.com mofako.com naerver.com natwpersonal-online.com navuor.com nid-login.com nidlogon.com office356-us.org office365-us.org phlogin.com pieceview.club pw-change.com reader.cash reviewer.mobi rnaii.com rnailm.com rnicrosoft.com sec-live.com secrityprocessing.com securitedmode.com security-lnfo.com securytingmail.com seoulhobi.biz set-login.com smtper.org usrchecking.com wallet-vahoo.com yalnoo.com yrnall.com # Reference: https://twitter.com/kyleehmke/status/1212119523077349378 lnfo-master.com # Reference: https://twitter.com/kyleehmke/status/1217486993871056899 security-acount.info # Reference: https://otx.alienvault.com/pulse/5e206c7aef589acc3f96cb79 # Reference: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ blockochain.info files-downloader.net webmail-googie.com webmail-gooqle.com # Reference: https://twitter.com/cyberwar_15/status/1313379907926335489 (Korean) busyday.atwebpages.com # Reference: https://twitter.com/ShadowChasing1/status/1344266120413384705 # Reference: https://www.virustotal.com/gui/file/7820bc1aa19ed61d035a2b7efb315ddb8b73cdf4df6ca41c365ce60ec160e713/detection # Reference: https://www.virustotal.com/gui/file/9d58a6920db59a06e513cf077597a8e1848892ad2cf0ec9e3de8fd677efbfedd/detection hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php # Reference: https://blog.alyac.co.kr/3489 (Korean) frog.smtper.co/frog/ park.smtper.co/frogstock/ # Reference: https://blog.alyac.co.kr/3536 (Korean) # Reference: https://www.virustotal.com/gui/ip-address/23.106.160.32/relations factorgpu.com greenulz.com # Reference: https://twitter.com/cyberwar_15/status/1362413268472655877 klsa.onlinewebshop.net # Reference: https://twitter.com/C0ryInTheHous3/status/1364275034638942210 down-drive.me # Reference: https://twitter.com/cyberwar_15/status/1392459596069961734 nid-naver.servepics.com # Refereence: https://twitter.com/cyberwar_15/status/1392488563309105155 # Reference: https://www.virustotal.com/gui/file/1136ba6837a18a39b430cd8d2a7ff276dbaddf813060c47725c7c629dbab7ce5/detection ahnlab.check.pe.hu # Reference: https://twitter.com/cyberwar_15/status/1392469490592411651 daum.sytes.net enolja.com naver.servemp3.com nid-naver.servehttp.com # Reference: https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48 # Reference: https://otx.alienvault.com/pulse/60eeb8b1f8a87529ba8d6d8c mobile-analytics-d0558.web.app # Reference: https://twitter.com/cyberwar_15/status/1422376991907450886 # Reference: https://www.boannews.com/media/view.asp?idx=99543 (Korean) # Reference: https://otx.alienvault.com/pulse/610a5db8cefc6068865ae665 tksrpdl.atwebpages.com # Reference: https://github.com/EmergingThreats/threatresearch/blob/master/ta406/ta406_ioclist.csv acount-pro.club acount-pro.live anlysis-info.xyz asia-studies.net bignaver.com carnegieinsider.com change-pw.com clonesec.us cloudnaver.com cloudocument.com cloudsecurityservice.net dailycloudservice.com daumhelp.net daum-protect.com deioncube.biz delivernaver.com delivers-security.com delivers-security.net diplomatictraining.com document-package.online documentpackages.link documentpackages.online documentpackage.space documentpackages.space documentpackages.store documentserver.site down-error.com download-apks.com downloader-hanmail.net download-live.com emailnaver.com globalcloudservices.org gooapi.online google-acount.com goolg-e.com goolge.space govermentweb.site help-master.online helpnaver.host helpnaver.link helpnaver.online help-naver.site helpnaver.site help-secure.info hpronto-login.com itamaraty.net knowledgeofworld.org lnfo-master.com login-protect.club login-protect.online mail-master.online microsoft-pro.host microsoft-pro.live microsoft-pro.site microsoft-pro.space midsecurity.org mid-service.com mid-service.org myethrvvallet.com mysoftazure.com naverhelp.com navermain.com naversecurity.us nicnaver.com nidnaver.host nidnaver.press nidnaver.site nidnaver.store noreply-cc.online noreply-goolge.com noreply-sec.online noreply-yahoo.com oaass-torrent.com proattachfile.com pronto-login.info pw-change.com resetpolicy.com resetprofile.com rfa.news rnaii.com rnail-inbox.com rnailm.com rnail-suport.site rneail.com secureaction.ru securelevel.site security-acount.info securitycounci1report.org security-delivers.com securityforcastreport.com security-lnfo.com security-nid.space security-pro.me security-pro.online securitysettings.info seoulhobi.biz servicenaver.com servicenidnaver.com sinoforecast.com softfilemanage.com ssidnaver.com stategov.biz support-info.network unosa.org voakorea.news voakoreas.com voipgoogle.com vpsino.org webofknowledg.com xfindphoneloc.com xn--mcrosoft-online-hic.com 0member-services.hol.es 1006ieudneu.atwebpages.com 1995ieudneu.atwebpages.com attachdown.000webhostapp.com attachdownload.000webhostapp.com attachdownload.99on.com dnsservice.esy.es emailru.99on.com firefox-plug.c1.biz koryogroup.1apps.com lookyes.c1.biz north-korea.medianewsonline.com online-manual.c1.biz romanovawillkillyou.c1.biz securitydownload.99on.com silverlog.hol.es softlay-ware.c1.biz takemetoyouheart.c1.biz taketodjnfnei898.c1.biz taketodjnfnei898.ueuo.com u13448720.ct.sendgrid.net u19402039.ct.sendgrid.net u7747409.ct.sendgrid.net u8253848.ct.sendgrid.net u9810308.ct.sendgrid.net upsrv.16mb.com vscode-plug.c1.biz win10-ms.c1.biz # Reference: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ acddesigns.com.au buttyfly.000webhostapp.com kmbr1.nitesbr1.org planar-progress.000webhostapp.com stjohns-burscough.org # Reference: https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ djsm.co.kr/js/20170805.hwp doseoul.com/bbs/data/hnc/update.php haeundaejugong.com/data/jugong/do.php haeundaejugong.com/editor/chinotto/do.php hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php kjdnc.gp114.net/data/log/do.php kumdo.org/admin/cont/do.php luminix.kr/bbs/data/proc/proc.php luminix.openhaja.com/bbs/data/proc1/proc.php # Reference: https://0xthreatintel.medium.com/apt37-targets-journalists-security-researchers-4d18c559767c js5950.cafe24.com kjdnc.gp114.net # Reference: https://twitter.com/midnight_comms/status/1467886870226952199 # Reference: https://www.virustotal.com/gui/file/3f3d492fe284569abb0ee60595e63ca5220ca8206c62df2a1f0ccfb8b9060405/detection annstyle.ru # Reference: https://twitter.com/midnight_comms/status/1467887093561053188 # Reference: https://www.virustotal.com/gui/file/facb0525447439cb402c1808e5a3a2436b887f8aa01af63201b1ca5350bee34e/detection iblcor.cafe24.com # Reference: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf # Reference: https://otx.alienvault.com/pulse/61978976fed1a4a1794586e7 acl-medias.fr christinadudley.com fd-com.fr kswebdesign.eu oaass.co.kr rabadaun.com influencer.jvproduccionessv.com mail.apm.co.kr mail.summitz.com redalert.nshc.net securitydownload.99on.com simple.kswebdesign.eu # Reference: https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report_-The-ink-stained-trail-of-GOLDBACKDOOR.pdf # Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030646.html # Reference: https://otx.alienvault.com/pulse/6261887e15fc527fe850e657 dailynk.us lit-peak-25706.herokuapp.com mail.dailynk.us main.dailynk.us # Reference: https://twitter.com/cyberwar_15/status/1481430358629707776 # Reference: https://twitter.com/cyberwar_15/status/1528619208183287809 # Reference: https://twitter.com/ShadowChasing1/status/1529451994532167682 bigfilemail.net work3.b4a.app # Reference: https://otx.alienvault.com/pulse/62e127f6ae973b499899ff9b # Reference: https://www.virustotal.com/gui/file/0675443b6438e3a7e910d591aaefcf616a65e55856aa0aea58305f23035818f8/detection http://185.176.43.106 # Reference: https://twitter.com/Timele9527/status/1600690222685032448 # Reference: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ free-xmlformat.com ms-office.services ms-offices.com openxmlformat.org template-openxml.com word-template.net # Reference: https://www.cib.gov.tw/News/BulletinDetail/8294 # Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350 # Reference: https://www.virustotal.com/gui/file/926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f/detection # Reference: https://www.virustotal.com/gui/file/af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf/detection outlook-offices.com phonectrl.com tibet-office.com conference.outlook-offices.com file.outlook-offices.com mofa.outlook-offices.com nds1.outlook-offices.com office.phonectrl.com file-sharing.tibet-office.com