# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt37, apt-c-37, geumseong121, group123, redeyes, scarcruft, Red Eyes, Venus 121, Thallium, ta406, Temp.Reaper

# Reference: https://otx.alienvault.com/pulse/5d4456d289603cc548ddbc92
# Reference: https://blog.alyac.co.kr/2453 (Korean)
# Reference: https://fortiguard.com/resources/threat-brief/2019/08/09/fortiguard-threat-intelligence-brief-august-09-2019

price365.co.kr/abbi/head0.jpg
price365.co.kr/abbi/json/openssl.php
price365.co.kr/abbi/tail0.jpg
darvishkhan.net/wp-content/uploads/2017/06/update3.dat
darvishkhan.net/wp-content/uploads/2017/06/update6.dat

# Reference: http://blogs.360.cn/post/analysis-of-apt-c-37.html
# Reference: https://otx.alienvault.com/pulse/5d7916e3f619df83fd65778e

adamnews.for.ug
btcaes2.duckdns.org
da3da3.duckdns.org
israanews.zz.com.ve
mmksba.dyndns.org
mmksba.simple-url.com
samd1.duckdns.org
samd2.duckdns.org
sorry.duckdns.org
webhoptest.webhop.info

# Reference: https://twitter.com/blackorbird/status/1188726162928758784
# Reference: https://mp.weixin.qq.com/s/Wnb-r7SWbGGN-XuQ8fW_jw

artmuseums.or.kr/swfupload/fla/1.jpg
casaabadia.es/wp-content/uploads/2018/06/null/
fjtlephare.fr/wp-content/uploads/2018/05/null/

# Reference: https://twitter.com/blackorbird/status/1112904229495042049
# Reference: https://blog.alyac.co.kr/2226 (Korean)

/skin15/include/bin/forlab.php
/ct/data/icon/files/goal.php

# Reference: https://twitter.com/navSi16/status/1066296138498629637

padosori.co.kr
/_controller/admin/upload_sec/down.php

# Reference: https://twitter.com/cyberwar_15/status/1122692430262706178
# Reference: https://blog.alyac.co.kr/2281 (Korean)

youngs.dgweb.kr
/skin15/include/bin/home.php

# Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ (Chinese)

http://72.21.245.117
martnews.aba.ae
mslove.mypressonline.com

# Reference: https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU
# Reference: https://malpedia.caad.fkie.fraunhofer.de/actor/apt37
# Reference: https://twitter.com/jfslowik/status/1212097943550873600
# Reference: https://otx.alienvault.com/pulse/5e0b9895c5ed003a85210202 (# Thallium)
# Reference: https://pastebin.com/ScaPd18W

ahooc.com
app-wallet.com
bigwnet.com
bitwoll.com
cexrout.com
change-pw.com
checkprofie.com
cloudwebappservice.com
com-change.pw
com-serviceround.info
ctquast.com
dataviewering.com
dauurn.net
day-post.com
dialy-post.com
doc-view.work
documentviewingcom.com
dounn.net
dovvn-mail.com
down-error.com
drivecheckingcom.com
drog-service.com
encodingmail.com
files-download.net
filinvestment.com
fixcool.net
foldershareing.com
golangapis.com
graphwin.com
grnaeil.com
gstaticstorage.com
hanrnaii.net
helpnaver.com
hotrnall.com
iinaver.com
imap-login.com
inbox-yahoo.com
lh-logins.com
lh-logs.com
login-sec.com
login-use.com
mai1.info
mail-down.com
maingoogie.com
maingoogle.com
matmiho.com
mihomat.com
mofako.com
naerver.com
natwpersonal-online.com
navuor.com
nid-login.com
nidlogon.com
office356-us.org
office365-us.org
phlogin.com
pieceview.club
pw-change.com
reader.cash
reviewer.mobi
rnaii.com
rnailm.com
rnicrosoft.com
sec-live.com
secrityprocessing.com
securitedmode.com
security-lnfo.com
securytingmail.com
seoulhobi.biz
set-login.com
smtper.org
usrchecking.com
wallet-vahoo.com
yalnoo.com
yrnall.com

# Reference: https://twitter.com/kyleehmke/status/1212119523077349378

lnfo-master.com

# Reference: https://twitter.com/kyleehmke/status/1217486993871056899

security-acount.info

# Reference: https://otx.alienvault.com/pulse/5e206c7aef589acc3f96cb79
# Reference: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

blockochain.info
files-downloader.net
webmail-googie.com
webmail-gooqle.com

# Reference: https://twitter.com/cyberwar_15/status/1313379907926335489 (Korean)

busyday.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1344266120413384705
# Reference: https://www.virustotal.com/gui/file/7820bc1aa19ed61d035a2b7efb315ddb8b73cdf4df6ca41c365ce60ec160e713/detection
# Reference: https://www.virustotal.com/gui/file/9d58a6920db59a06e513cf077597a8e1848892ad2cf0ec9e3de8fd677efbfedd/detection

hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php

# Reference: https://blog.alyac.co.kr/3489 (Korean)

frog.smtper.co/frog/
park.smtper.co/frogstock/

# Reference: https://blog.alyac.co.kr/3536 (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/23.106.160.32/relations

factorgpu.com
greenulz.com

# Reference: https://twitter.com/cyberwar_15/status/1362413268472655877

klsa.onlinewebshop.net

# Reference: https://twitter.com/C0ryInTheHous3/status/1364275034638942210

down-drive.me

# Reference: https://twitter.com/cyberwar_15/status/1392459596069961734

nid-naver.servepics.com

# Refereence: https://twitter.com/cyberwar_15/status/1392488563309105155
# Reference: https://www.virustotal.com/gui/file/1136ba6837a18a39b430cd8d2a7ff276dbaddf813060c47725c7c629dbab7ce5/detection

ahnlab.check.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1392469490592411651

daum.sytes.net
enolja.com
naver.servemp3.com
nid-naver.servehttp.com

# Reference: https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48
# Reference: https://otx.alienvault.com/pulse/60eeb8b1f8a87529ba8d6d8c

mobile-analytics-d0558.web.app

# Reference: https://twitter.com/cyberwar_15/status/1422376991907450886
# Reference: https://www.boannews.com/media/view.asp?idx=99543 (Korean)
# Reference: https://otx.alienvault.com/pulse/610a5db8cefc6068865ae665

tksrpdl.atwebpages.com

# Reference: https://github.com/EmergingThreats/threatresearch/blob/master/ta406/ta406_ioclist.csv

acount-pro.club
acount-pro.live
anlysis-info.xyz
asia-studies.net
bignaver.com
carnegieinsider.com
change-pw.com
clonesec.us
cloudnaver.com
cloudocument.com
cloudsecurityservice.net
dailycloudservice.com
daumhelp.net
daum-protect.com
deioncube.biz
delivernaver.com
delivers-security.com
delivers-security.net
diplomatictraining.com
document-package.online
documentpackages.link
documentpackages.online
documentpackage.space
documentpackages.space
documentpackages.store
documentserver.site
down-error.com
download-apks.com
downloader-hanmail.net
download-live.com
emailnaver.com
globalcloudservices.org
gooapi.online
google-acount.com
goolg-e.com
goolge.space
govermentweb.site
help-master.online
helpnaver.host
helpnaver.link
helpnaver.online
help-naver.site
helpnaver.site
help-secure.info
hpronto-login.com
itamaraty.net
knowledgeofworld.org
lnfo-master.com
login-protect.club
login-protect.online
mail-master.online
microsoft-pro.host
microsoft-pro.live
microsoft-pro.site
microsoft-pro.space
midsecurity.org
mid-service.com
mid-service.org
myethrvvallet.com
mysoftazure.com
naverhelp.com
navermain.com
naversecurity.us
nicnaver.com
nidnaver.host
nidnaver.press
nidnaver.site
nidnaver.store
noreply-cc.online
noreply-goolge.com
noreply-sec.online
noreply-yahoo.com
oaass-torrent.com
proattachfile.com
pronto-login.info
pw-change.com
resetpolicy.com
resetprofile.com
rfa.news
rnaii.com
rnail-inbox.com
rnailm.com
rnail-suport.site
rneail.com
secureaction.ru
securelevel.site
security-acount.info
securitycounci1report.org
security-delivers.com
securityforcastreport.com
security-lnfo.com
security-nid.space
security-pro.me
security-pro.online
securitysettings.info
seoulhobi.biz
servicenaver.com
servicenidnaver.com
sinoforecast.com
softfilemanage.com
ssidnaver.com
stategov.biz
support-info.network
unosa.org
voakorea.news
voakoreas.com
voipgoogle.com
vpsino.org
webofknowledg.com
xfindphoneloc.com
xn--mcrosoft-online-hic.com
0member-services.hol.es
1006ieudneu.atwebpages.com
1995ieudneu.atwebpages.com
attachdown.000webhostapp.com
attachdownload.000webhostapp.com
attachdownload.99on.com
dnsservice.esy.es
emailru.99on.com
firefox-plug.c1.biz
koryogroup.1apps.com
lookyes.c1.biz
north-korea.medianewsonline.com
online-manual.c1.biz
romanovawillkillyou.c1.biz
securitydownload.99on.com
silverlog.hol.es
softlay-ware.c1.biz
takemetoyouheart.c1.biz
taketodjnfnei898.c1.biz
taketodjnfnei898.ueuo.com
u13448720.ct.sendgrid.net
u19402039.ct.sendgrid.net
u7747409.ct.sendgrid.net
u8253848.ct.sendgrid.net
u9810308.ct.sendgrid.net
upsrv.16mb.com
vscode-plug.c1.biz
win10-ms.c1.biz

# Reference: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

acddesigns.com.au
buttyfly.000webhostapp.com
kmbr1.nitesbr1.org
planar-progress.000webhostapp.com
stjohns-burscough.org

# Reference: https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/

djsm.co.kr/js/20170805.hwp
doseoul.com/bbs/data/hnc/update.php
haeundaejugong.com/data/jugong/do.php
haeundaejugong.com/editor/chinotto/do.php
hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php
kjdnc.gp114.net/data/log/do.php
kumdo.org/admin/cont/do.php
luminix.kr/bbs/data/proc/proc.php
luminix.openhaja.com/bbs/data/proc1/proc.php

# Reference: https://0xthreatintel.medium.com/apt37-targets-journalists-security-researchers-4d18c559767c

js5950.cafe24.com
kjdnc.gp114.net

# Reference: https://twitter.com/midnight_comms/status/1467886870226952199
# Reference: https://www.virustotal.com/gui/file/3f3d492fe284569abb0ee60595e63ca5220ca8206c62df2a1f0ccfb8b9060405/detection

annstyle.ru

# Reference: https://twitter.com/midnight_comms/status/1467887093561053188
# Reference: https://www.virustotal.com/gui/file/facb0525447439cb402c1808e5a3a2436b887f8aa01af63201b1ca5350bee34e/detection

iblcor.cafe24.com

# Reference: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf
# Reference: https://otx.alienvault.com/pulse/61978976fed1a4a1794586e7

acl-medias.fr
christinadudley.com
fd-com.fr
kswebdesign.eu
oaass.co.kr
rabadaun.com
influencer.jvproduccionessv.com
mail.apm.co.kr
mail.summitz.com
redalert.nshc.net
securitydownload.99on.com
simple.kswebdesign.eu

# Reference: https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report_-The-ink-stained-trail-of-GOLDBACKDOOR.pdf
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030646.html
# Reference: https://otx.alienvault.com/pulse/6261887e15fc527fe850e657

dailynk.us
lit-peak-25706.herokuapp.com
mail.dailynk.us
main.dailynk.us

# Reference: https://twitter.com/cyberwar_15/status/1481430358629707776
# Reference: https://twitter.com/cyberwar_15/status/1528619208183287809
# Reference: https://twitter.com/ShadowChasing1/status/1529451994532167682

bigfilemail.net
work3.b4a.app

# Reference: https://otx.alienvault.com/pulse/62e127f6ae973b499899ff9b
# Reference: https://www.virustotal.com/gui/file/0675443b6438e3a7e910d591aaefcf616a65e55856aa0aea58305f23035818f8/detection

http://185.176.43.106

# Reference: https://twitter.com/Timele9527/status/1600690222685032448
# Reference: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/

free-xmlformat.com
ms-office.services
ms-offices.com
openxmlformat.org
template-openxml.com
word-template.net

# Reference: https://www.cib.gov.tw/News/BulletinDetail/8294
# Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350
# Reference: https://www.virustotal.com/gui/file/926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f/detection
# Reference: https://www.virustotal.com/gui/file/af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf/detection

outlook-offices.com
phonectrl.com
tibet-office.com
conference.outlook-offices.com
file.outlook-offices.com
mofa.outlook-offices.com
nds1.outlook-offices.com
office.phonectrl.com
file-sharing.tibet-office.com